hxxps://sub2unlock[.]io/OtHqI

Analysis

max time kernel
111s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sub2unlock.io/OtHqI

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	setup18139554.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	executor xeno_18139554.exe

Executes dropped EXE 13 IoCs

pid	Process
5672	executor xeno_18139554.exe
5744	setup18139554.exe
5892	setup18139554.exe
5808	opera.exe
3808	setup.exe
3256	setup.exe
3592	setup.exe
6024	setup.exe
6104	setup.exe
5776	Assistant_114.0.5282.21_Setup.exe_sfx.exe
4048	assistant_installer.exe
6000	assistant_installer.exe
4860	OfferInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5892	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup18139554.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5060	tasklist.exe
5396	tasklist.exe
5212	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	executor xeno_18139554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup18139554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5348	timeout.exe
5748	timeout.exe
6088	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Opera GXStable	executor xeno_18139554.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	executor xeno_18139554.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	executor xeno_18139554.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup18139554.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup18139554.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup18139554.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 878443.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2304	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
440	msedge.exe
440	msedge.exe
1508	identity_helper.exe
1508	identity_helper.exe
6004	msedge.exe
6004	msedge.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
5744	setup18139554.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe
4860	OfferInstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	4652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4652	AUDIODG.EXE
Token: SeDebugPrivilege	5744	setup18139554.exe
Token: SeDebugPrivilege	4860	OfferInstaller.exe
Token: SeDebugPrivilege	5060	tasklist.exe
Token: SeDebugPrivilege	5396	tasklist.exe
Token: SeDebugPrivilege	5212	tasklist.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5672	executor xeno_18139554.exe
5808	opera.exe
3808	setup.exe
3256	setup.exe
3592	setup.exe
6024	setup.exe
5744	setup18139554.exe
6104	setup.exe
5776	Assistant_114.0.5282.21_Setup.exe_sfx.exe
4048	assistant_installer.exe
6000	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 1948	440	msedge.exe	82
PID 440 wrote to memory of 1948	440	msedge.exe	82
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 2560	440	msedge.exe	83
PID 440 wrote to memory of 1636	440	msedge.exe	84
PID 440 wrote to memory of 1636	440	msedge.exe	84
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85
PID 440 wrote to memory of 5028	440	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sub2unlock.io/OtHqI
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbe2f46f8,0x7ffdbe2f4708,0x7ffdbe2f4718
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4240 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Users\Admin\Downloads\executor xeno_18139554.exe
  "C:\Users\Admin\Downloads\executor xeno_18139554.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5672
- - C:\Users\Admin\AppData\Local\setup18139554.exe
    C:\Users\Admin\AppData\Local\setup18139554.exe hhwnd=524814 hreturntoinstaller hextras=id:6799040925c8e05-FR-x76C9
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4860" /fo csv
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5396
      - C:\Windows\SysWOW64\find.exe
        
        find /I "4860"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5748
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4860" /fo csv
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
      - C:\Windows\SysWOW64\find.exe
        
        find /I "4860"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:456
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 5744" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "5744"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5348
- - C:\Users\Admin\AppData\Local\setup18139554.exe
    C:\Users\Admin\AppData\Local\setup18139554.exe hready
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5892
- - C:\Users\Admin\AppData\Local\opera.exe
    C:\Users\Admin\AppData\Local\opera.exe --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe --silent --allusers=0 --server-tracking-blob=ZjUyOWQzYzc5M2EzYzJhODIxYjA1YTQ3NmU4ZjJmMGUzNmZlYzc3MzE5NTJlMDJmNGZmY2ZlZmU3ZmY4MDIwOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj01aWV1IiwidGltZXN0YW1wIjoiMTcyODE4MTQxOS4zODQ0IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiNWlldSIsIm1lZGl1bSI6InBiIiwic291cmNlIjoiSW5zdGFsbHVuaW9uIn0sInV1aWQiOiJmODhiZTEzMy1lZDI2LTQ3N2YtOGE0Mi0wMzFiNGU0MWFmODAifQ==
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x328,0x32c,0x330,0x324,0x334,0x6ef369d4,0x6ef369e0,0x6ef369ec
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3808 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241006022340" --session-guid=e0977046-14b8-4bd0-9f75-dd059ccec778 --server-tracking-blob=MzhiYmVmZGJiMzY0MTZlYzQxYjUyYzFjZmFiMzdiODk0MmEyMzJkNjE1Y2Y1ZmQ2YzgwY2NkMjFmYWUxMTYzNTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj01aWV1Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzI4MTgxNDE5LjM4NDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNi4yOyBXT1c2NDsgVHJpZGVudC83LjA7IC5ORVQ0LjBDOyAuTkVUNC4wRTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMzA3Mjk7IC5ORVQgQ0xSIDMuNS4zMDcyOSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI1aWV1IiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJJbnN0YWxsdW5pb24ifSwidXVpZCI6ImY4OGJlMTMzLWVkMjYtNDc3Zi04YTQyLTAzMWI0ZTQxYWY4MCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0806000000000000
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6024
      - C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0B6F8478\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x320,0x324,0x334,0x2fc,0x338,0x6cd169d4,0x6cd169e0,0x6cd169ec
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0xad17a0,0xad17ac,0xad17b8
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6000
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\file.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6709128952370780754,1603729678159159807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
  2⤵
  PID:676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
a5d0acd45d34efccf856ca42acaacb2f

SHA1
2c0285a0724a19e20a33fe1ab3f132bb3359d477

SHA256
a1eaada4fd54d615dcd267301d1a31921fa19d2ce9828905b351d053b2e34c29

SHA512
e723156810e3e1e56e7605e5d641c7fbe68ab5ae43e1ec9ffca0a5fee1d8decc9914ad859145caefd2f673ffa2ca1ea68681bc1e5c11de9e522562c6b52c8c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
97a1b0e283dbe7692005faf120b93c91

SHA1
716f68f2af6f5e1f843e0724c582b8e500463412

SHA256
7e1a4e366ade9b2f06e546047e3c950238df4f2ad78196ac4655562648274c0d

SHA512
e4e1b15ef2e149edfd34b804154177bbc414f74c58ab1cd9a27a76c5f3ba955d9fee915ae2551939af039a82faa75bd1db1e317623e70d87f9941ef5b9e01e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1e60160823c8ddbee046d008cfb6236b

SHA1
ae128ee9fd3d42b6c3c7c5fabb98c85f18860f62

SHA256
761ed34bb94d036e6c746a4241923cfad98d20cf9a1571640b5c63f719d5e768

SHA512
b42532ebc9547bfb0262759f39c8cd8f81d1d289f0baa5d1031919e6231f49ad99eeebd9c42955960f16bee942079e07946e712735761190040632a1801ad50a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0bd197b5c2522e18ee5678852ba88dd

SHA1
3cd27ee07320738a852d4cce5253d0e61fe61c2e

SHA256
fdc7fcaf6a0379a14b1cbc6745f5829c3e1c4754de042cc8346290f8e60ec31d

SHA512
0e406995285d2d43798eeb1d54cebd8d3bee3a6de7ceeceb41dee3aea888970ec7f29005c79e0db00620f58769adfb2afe95a2ee2c271161f9d5f92893b446be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1b2ea76d1f4dd9994ad3fe683047823b

SHA1
9ce3a3f6be907283c80ad41945105d0d89b09c56

SHA256
1b4b49966677e5ec2ecbd8e9bd1c5133b78c1a7a28671c639561610fd00fd237

SHA512
35d8ed89b5d8823a69e880ed98747cb0f0545839d338d96085ea26b0422a056832f9d65fe6b8f1bd4d8fefb8ca5b9f9fc0779ec226527c30a6dfd55d6299d835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1915a11f4418a663e1a95d7b860aea3

SHA1
b1f9d8f9a2bc9482e1efc7b9a10e90065a7a9f54

SHA256
ff1b3284e0862a562b29b8ae04f6dd6fb9c327192d053ab4dfdbc8c56e591918

SHA512
b49bd0f26e613bf9ec38821a3d81fcb7c25df22ca527a4aafbd4deb12469b1dcbd99c7d3e00c1a63d6299fe4ca69124a0a03b28ccb490e1a0e4d5adacef0fe34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8c69fd5962b22a078d7295294f548ff9

SHA1
2e943af0f5206be644278fdf78a074065f2c116d

SHA256
5bd05be773c353019bc8778a55fe8fbe9b36fdc283eea7c891efa208463814c0

SHA512
3288a95371aaf02875c1d3ea693ec3035e7781821e60b48069f163a08ffa8fb8819bc7808a04c9897a5f438457466fa0597e80331f9b73b03b0ecd718efbd59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fbc93b65b45c663ab93a1982b454f6dc

SHA1
985e67a7f02664ba873411c52e6f0577e974f1db

SHA256
4d0a37c2af40433f3fc3a5902e84e1d3070afed709a1224ef399256b83f25a3a

SHA512
79e1028688efc395dfbaf737e057d7e45431917e7f89048c9b9c4f88eedc563316d9d87a9dbc4719e63d1b9ab4037be40d5a20f251b1d69300017461d68252d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8e371fc8-d921-4ce6-a294-10342729aef9\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\96035feb-89a8-459f-8fae-256a866f78f9\index-dir\temp-index

Filesize
624B

MD5
e0377b3b72b09b3bb9a41973a10e5f45

SHA1
1445209246a6f3a04a90d0b4445c13ec8edf2f24

SHA256
c717c8c23a5f5fc548b7b47de821312366d709f5042485c4329da46e7d28a2bb

SHA512
b3c58a04bcff35893a3c9035627715fca641af7a8d2d34f36fb8ed265adb1ee71ff9b6d43b86ae7df6e4566b1adeba67b83e0e643f11f431631f7b05811f549d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\96035feb-89a8-459f-8fae-256a866f78f9\index-dir\the-real-index~RFe57e416.TMP

Filesize
48B

MD5
f5277243bf95ad9d7e334ae56cd76f16

SHA1
e64e3997f31b6f91fd9c2da0efb571261a90b739

SHA256
9a5bc631b8c7a9e388b57cbc9c3ad0be6dd5eac21f86e338b7e55d67950d0b49

SHA512
bda4e4fb3c5ffbe2abe9c9281d3e37496a9095c5753ab9855adb8cbde4e865f9152bc3de2cf689e0c588b1b90e85a6c3e6d55b4ce1d3d8813e59d44e022090fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f79d13fc-6690-4b86-b8ff-f7f9cc207ece\index-dir\the-real-index

Filesize
2KB

MD5
f1d883f2424fce4f71f76b60d6eeeb20

SHA1
59e4b5d0ee8c2fcca7e6fd09eea5e023b3d36b41

SHA256
910ef60957a0b90c4b8a59565494612e9639efdca7dade98d999a2e037b79fae

SHA512
07c8344dfa6382d17e1175aa1f5eafaa82f7b85d15458950d150d458edbc2ff444861b23b4383abef6cce8a91a3c46e6671786e5cc32a2503bd1b68886cdbf47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f79d13fc-6690-4b86-b8ff-f7f9cc207ece\index-dir\the-real-index~RFe57fa6d.TMP

Filesize
48B

MD5
e4505408a1dbdafd4ed5d020470ca456

SHA1
9a70469363a2a5be0097d1f1f646d21a256ac60f

SHA256
1cbc97b0541f387e1ecb1bef427618d72149fb7dd926ceed8165debaccf63da8

SHA512
40b6f7b618548103ee264387c3a02c04e80235fd615c1225f4016e2438aff5a2bc6dcafddee94370b3ce75f1b8bdff858b402608c55078006f0bdcc9d05b944f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
55d9dcce25ec22baeacafb10ab65475f

SHA1
2bdec592d5121b27f676ab49257143833c3ac603

SHA256
582641dd615974e0288afa58ee0fbbb0f6dc6a1ab7fc5aae1d16ebbe47b2ccc5

SHA512
30e1c165b802b00d660c7ba71a211280e4318db80e7ad5ef9d7efd27da204d5e484cedb13ed16114882ba51f419a130479c05f0421e5d701025cb5eb31f3672e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
9973a941844fcb935ba020d686c378ee

SHA1
5f1995303255685ed937cd16c92f7d4db283e9af

SHA256
7e8991f04a91c6a3c379581ebd9dec32a40b788707a40bc666aa802eef549ba8

SHA512
43906d6e0d9b0b2b6d207199f82d2e9743e2a348b7ef9afac423810f6a96a0578d4bbacaab5aedccd7f098b26d32fd073c36ebf198730ac8ca72e3c9891560c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
00a9cdb7aadef9ff165bf64dba243c7d

SHA1
dc16d5965bbfd12584016d074614e62980a269a7

SHA256
3b4524e5a87e39ff89aab6ed042aa11eb87c04579499f59bbb9798d8282bd3a0

SHA512
aa9b7d0b2c7c15adb85a6f60daef251fcca5484e44d4d67161613ca9090eaaa49f28b65c4e9dc073a04be93d3325bed1d078c127a63301ebd655630c29c5055b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
8688134640fc8227f152f11203f4fc3e

SHA1
2b5360d21d59465f8c94d11561faacd4bbf9258a

SHA256
51d4c72795fe24e386cce81e62cb6cbf26f82edd4b0cbc565646488798bebf2d

SHA512
e62177e094234a8d1fc86576dad77366aa8136f63eba606599b524f5cece16062d7babd128ab6f43758cd8d46ea97cb3f1dd0e38aa37f5533041dbfed77ad6db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
37ebf1f7beec44aa4995c74044304fd7

SHA1
794f7c24128e855d1872c1b6ec7a4c7ce6bf5dda

SHA256
b34b0e3d2ccbfacc933e1ed74c39186783480615b8856de6ecf7d6ba686d97c0

SHA512
6eb019531901d2f4db47b85d8ca959b2745b5e9e937d75d3e7d5123d295a4887729e832c3d428d29509dc2dabd85fee9dfc4ef0e66d1327f3097cbe2381deb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
3c10affa4c5081311788f66dd5b41186

SHA1
4661e248a1130a31861c8259cbc1554552b4906b

SHA256
89d0580e15045a9c0299b817335806b224dc9b8b76235ef09d792e246ee35fe9

SHA512
c82a80578dc718d51ba124d8570e57ecd0f7ec8214ecdc16588a9808d2f08d3959dbbdf783201e3e391dd9b9d3fd06d4c0a3062ff2c5c842b5b9156c1e58bc8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
586b2a17e7477b1cf00d365793cb6b11

SHA1
9b58356a7d09b826da269fd412a789083d8b2a7d

SHA256
49f4af35b6bedf77558eed2db7efdcf04152754156463a997676a6747ce343fb

SHA512
9fbe84277de152d09a525b3c2f3d85e510d8031abbd639ee0cfe40ac47d250d970804ecceb85d8410367ffb46028b4a2f3e0829d103481afc7018bd372235905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
2db2104f61937dbc769b96318704b66c

SHA1
e3a29c1c2ad234188c04f18489e5abfc15217a61

SHA256
11d2b9b7a0f827139d6179f250dd3efa41f4634642ef104333a2176a0b3e0cdd

SHA512
041ab8b1d309218b15dacf52815c98f96ba9511f0b1369b407fd50bd68d773e2ff141bd464793416f053e4adee80421735734734e6c48746a4ed78843d04b1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d8fb.TMP

Filesize
48B

MD5
fd0189f2a64894609766a8120aa0b9e9

SHA1
67bcc959f590ec0b6a71ca0e3a1b4a89586b2e6f

SHA256
39a56750e6faee2e06e45c504227dd5b4c020fe1e3569b80f6a4c8f4bd29dda8

SHA512
bff15b66a1d8db90edf62f4466dae2861599b2ddda5d5f9d1f7486b04c825f44394bb67ffacb22297db27bfae9041d8f0c084c6cd409664b2701acd68c90d844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89370d3ebfa0f7eeae2e7198c115d8a3

SHA1
d10a35d7b310dcabb726884dab305dafcf7b2aa4

SHA256
ed72a5adfda9c1a5a7e8cb8f880da82a31351aded55c2d367db0453689e4b1dd

SHA512
7197775482269b7d1a16fcc817da6d59ba707bfa048baebfec60e92bd4b429aba45af93df055b530cfd7d8ddb5aebd79e6f534ab62e3594e5ea9be6c37847987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a20098f8195e433d0196f94e9f5c03ce

SHA1
916f2ee9d6b079cb3fad17460ce4329213ba92c8

SHA256
336b03cbb47cae55a82f0568edd4c3e06e2b0e9d61f0b599b9715df1c41bcfd3

SHA512
73e2cdf7c1800c48bb6a9cdea755c34b96a7d267befb78c8c71945392f0df59eecbcc17f68da33f044bea71462bd529a467cd9b5ba91b6537201cd6023527677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae19649550fa85a8e8d1c7840db0710c

SHA1
455450d320426fc92d6bda518cbbd77e650450fa

SHA256
3711552b6005d99d2f9e7065bccee7cb71899a7e1335113f35b6aa2b03c5cc24

SHA512
2e5c385bcb433f491f5d5b49814dd6257957fc9c601cfbc87afe7d3a8d364696cba0a99507172ecc06f428fb73a4f8e33c45c3926a21c83a6c6ff1909e4e5fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c0ee.TMP

Filesize
1KB

MD5
520ceb664ba37a34bc6bc9f23ff236e4

SHA1
ac839d153d614adb599805435cda0aa6b8c72212

SHA256
1d9d054e05ba9a270abf0ca5f7deb18aa1eb0fa8852d80b49039362ad32c6a50

SHA512
aaef4947f3084db0fa69c2aba747aac7bb3738b0d03c0d39e0f8a76a126da37131999c2388c2d6ab501ec70a3c4b12109d340905795c1542e3fc2dc80860ac3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93e239bf81faa45c7ab3034cd1f332ac

SHA1
770edfda4eef2b5a5dd7c05553b3874711664a73

SHA256
6f03824cf8bd4a62af96a58531cb515c757732d53e86778047e0f130bfd6febf

SHA512
c72ae73bf2eee9d3f53b306bf59ee8c290af586284bd3d5a3b3bbe37ed28ed22069de1ab4dc93469793f872bbdd08e2983919be4dec91aa77d8dac9d17641b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2ef0161f4079a98f28404922b8513806

SHA1
6381187ae70bae8e4e61e9ef3ed2b20b36f82b2b

SHA256
2bbf20630035601121bccf74684f599fdc76ac6e1c5f85f6a08c542aa71ba554

SHA512
a603a48b37e65f4960776a2631ae4f2a5de46c3bfc5fb35eb8ed6f53c42744dabcc4ffd57743416a6c80d26491640c6c07556f1f927ffff23c5f0eefbc3aa93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410060223401\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.4MB

MD5
c9eaa2458c4d06ec258c79360b418430

SHA1
1452c54b8653f7f8b770a1b0c3a1b1aac045bdc5

SHA256
281460bcc97d91be23ba1e136e26e0a65f6adb759fca1d7ffdee98931aa6b21c

SHA512
bd96d07e1c434859a5242b532fe68fb24f64cd344d87af8a5e386fa3435c3e3ceffe54f79bebb73b178781fcbdf34e374d9b96872d31339a5e0fc4ca95f127e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410060223402723256.dll

Filesize
4.8MB

MD5
f0cde99844b3289d1eb241f0324a4ac4

SHA1
66f2d0bfb4f9048d35b5b93e9e89e7a03bb3a7f7

SHA256
01e6841403ff084cc38ca19ac3db55954a0c8bc4cfeb55bb1c9c70a4a373c3c2

SHA512
68dfb6fede9fdcecb5296a38a4d11280255db75bde5f5adf8dd68c95d8fd66dbad143d13ad97aebd5511f63656a14edc8b7de01d77902faa68a7fe2af136b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\opera.exe

Filesize
2.1MB

MD5
f2187d657d2e63cf9b60daed91f1cea6

SHA1
f10fdbcf3fa9c470d8b1612772f24d890a986385

SHA256
64435309bb2a31b48ee7677c0227e6fc7a9f793dfab5bc05d16b7abbcc248149

SHA512
68e2cf85031e031146d7ef1492336147c92ed0bc11b7be8e9aa1f73ca9c0b574346aed9bc9f015bbb760d871854e4ad87b7e2a47e30f332f50ae66ac3709f4f8

Download Submit
C:\Users\Admin\AppData\Local\setup18139554.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\Downloads\executor xeno_18139554.exe

Filesize
364KB

MD5
237a9e619e62b5c0a5eec0da67e9f40f

SHA1
afc7449a1710180192b206631ad1b1a7d7b3d220

SHA256
8aa6805c5c2d73ff895044ee3a5817e9584df215d0b2d836251cc647c08a7e8e

SHA512
855876aad0046ea73ee7470a1c7daf4ae58e82e8f884d04b671174f6932e920f12ab08ed8acb0d6afc71a30e89630491874bb577b676fc249d6f33633b1c2f39

Download Submit
memory/4860-1235-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/5744-1047-0x0000000008470000-0x0000000008A24000-memory.dmp

Filesize
5.7MB

Download
memory/5744-953-0x0000000005C20000-0x0000000005C44000-memory.dmp

Filesize
144KB

Download
memory/5744-1029-0x0000000006E60000-0x00000000071B4000-memory.dmp

Filesize
3.3MB

Download
memory/5744-982-0x0000000005C70000-0x0000000005C8D000-memory.dmp

Filesize
116KB

Download
memory/5744-1038-0x0000000007320000-0x000000000732C000-memory.dmp

Filesize
48KB

Download
memory/5744-888-0x0000000005AB0000-0x0000000005AD4000-memory.dmp

Filesize
144KB

Download
memory/5744-1043-0x0000000007900000-0x0000000007EA4000-memory.dmp

Filesize
5.6MB

Download
memory/5744-880-0x0000000005A60000-0x0000000005A74000-memory.dmp

Filesize
80KB

Download
memory/5744-896-0x0000000005AE0000-0x0000000005B08000-memory.dmp

Filesize
160KB

Download
memory/5744-1065-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/5744-904-0x0000000005B10000-0x0000000005B3E000-memory.dmp

Filesize
184KB

Download
memory/5744-1028-0x0000000006E30000-0x0000000006E52000-memory.dmp

Filesize
136KB

Download
memory/5744-959-0x0000000005C00000-0x0000000005C0A000-memory.dmp

Filesize
40KB

Download
memory/5744-1088-0x0000000006050000-0x000000000607E000-memory.dmp

Filesize
184KB

Download
memory/5744-965-0x0000000005C90000-0x0000000005C98000-memory.dmp

Filesize
32KB

Download
memory/5744-858-0x0000000000CD0000-0x00000000010A8000-memory.dmp

Filesize
3.8MB

Download
memory/5744-947-0x0000000005B90000-0x0000000005BAA000-memory.dmp

Filesize
104KB

Download
memory/5744-941-0x0000000005BB0000-0x0000000005BE2000-memory.dmp

Filesize
200KB

Download
memory/5744-996-0x0000000006350000-0x0000000006362000-memory.dmp

Filesize
72KB

Download
memory/5744-971-0x0000000005CE0000-0x0000000005D0C000-memory.dmp

Filesize
176KB

Download
memory/5744-1027-0x00000000069B0000-0x00000000069BA000-memory.dmp

Filesize
40KB

Download
memory/5744-1022-0x0000000006A30000-0x0000000006ABC000-memory.dmp

Filesize
560KB

Download
memory/5744-912-0x0000000005B40000-0x0000000005B68000-memory.dmp

Filesize
160KB

Download