hxxps://en[.]exloader[.]net/

Analysis

max time kernel
287s
max time network
288s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://en.exloader.net/

Score

8^/10

discovery execution persistence phishing spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe

Executes dropped EXE 30 IoCs

pid	Process
5300	OperaGXSetup.exe
5148	setup.exe
3692	setup.exe
2492	setup.exe
5836	OperaGXSetup.exe
5724	setup.exe
1992	setup.exe
464	setup.exe
1172	setup.exe
3544	setup.exe
5588	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5928	assistant_installer.exe
5544	assistant_installer.exe
4192	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5532	ExLoader.exe
5968	OperaSetup.exe
1184	setup.exe
2256	setup.exe
3388	setup.exe
6108	setup.exe
6056	setup.exe
2264	againfilters.exe
4868	Assistant_114.0.5282.21_Setup.exe_sfx.exe
3584	assistant_installer.exe
1700	assistant_installer.exe
6052	dxwebsetup.exe
1464	dxwsetup.exe
5788	dxwebsetup.exe
4776	dxwsetup.exe

Loads dropped DLL 52 IoCs

pid	Process
5148	setup.exe
3692	setup.exe
2492	setup.exe
5724	setup.exe
1992	setup.exe
464	setup.exe
1172	setup.exe
3544	setup.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
5532	ExLoader.exe
1184	setup.exe
2256	setup.exe
3388	setup.exe
6108	setup.exe
6056	setup.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
3584	assistant_installer.exe
3584	assistant_installer.exe
1700	assistant_installer.exe
1700	assistant_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5396	powershell.exe
2800	powershell.exe
2788	powershell.exe

Enumerates connected drives 3 TTPs 56 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
285	raw.githubusercontent.com
286	raw.githubusercontent.com
287	raw.githubusercontent.com
333	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
291	ipapi.co
292	ipapi.co
293	ipapi.co
281	api.ipify.org
282	api.ipify.org
283	api.ipify.org

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SET365E.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET1C2F.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET365E.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET1C30.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET365F.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET1C30.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET1C2F.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET365F.tmp	dxwsetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_hover.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\check.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resume.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-errorhandling-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\mail.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\ucrtbase.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\vcruntime140.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\CatsDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\cats.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Bold.otf	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Warcraft.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\shaders\ink_sparkle.frag	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-processthreads-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\grain.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\safe-shield.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\translate-not-google.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\AbominationPissed_EN.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Fallguys_v2.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\christmas-tree.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pumpkin.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-sysinfo-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\packages\media_kit\assets\web\hls1.4.10.js	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pencil.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\shield-exclamation.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\telegram.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\vulkan-1.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\fabric_second.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\rain.webp	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\FontManifest.json	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Agents%20of%20Mayhem.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\folder.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-viewbox.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\close.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\favourite-added.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\unsafe-shield.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Standard_hover.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Cyberpunk.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\SummerStart.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cat-1.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Windows_notification.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-rtlsupport-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\msvcp140_codecvt_ids.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\vccorlib140.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\trust-properties.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-string-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\libmpv-2.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow_alternative.webp	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-utility-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-anixart.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\msvcp140.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\clown.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\chevron-down.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\food.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\description-blank.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-processenvironment-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-convert-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\packages\wakelock_plus\assets\no_sleep.js	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\arrow-left.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\simple.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow.webp	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\thumb-up.svg	ExLoader_Installer.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5B3E63.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5B2444.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DXError.log	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5B2444.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5B2444.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5B3E63.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5B3E63.tmp	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DXError.log	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3336	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 665542.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 567539.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3700	msedge.exe
3700	msedge.exe
1296	msedge.exe
1296	msedge.exe
4644	identity_helper.exe
4644	identity_helper.exe
5696	msedge.exe
5696	msedge.exe
5496	msedge.exe
5496	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5396	powershell.exe
5396	powershell.exe
5396	powershell.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2264	againfilters.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
2788	powershell.exe
2788	powershell.exe
2788	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5148	setup.exe
5764	ExLoader_Installer.exe
5764	ExLoader_Installer.exe
5532	ExLoader.exe
5532	ExLoader.exe
2264	againfilters.exe
2264	againfilters.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 4860	1296	msedge.exe	81
PID 1296 wrote to memory of 4860	1296	msedge.exe	81
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 1476	1296	msedge.exe	82
PID 1296 wrote to memory of 3700	1296	msedge.exe	83
PID 1296 wrote to memory of 3700	1296	msedge.exe	83
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84
PID 1296 wrote to memory of 4456	1296	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://en.exloader.net/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x104,0x130,0x7ff9569046f8,0x7ff956904708,0x7ff956904718
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6a6485460,0x7ff6a6485470,0x7ff6a6485480
    3⤵
    PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7308 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7488 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7348 /prefetch:8
  2⤵
  PID:2328
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe --server-tracking-blob=NTZhZDhmOGQyNWI5MzRjOWQ0ZDA2ZWViZGU1NGUyMWY0ZDU4M2RiNTM1ZmI5NjZhMWMwMGFjNWMzMWUzNTI2Nzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9VU19TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPWQ0MGJiMDU1Mzg2NjRhMTliZWQzNjIzNzgxZDRmOTVkJmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9ZDQwYmIwNTUzODY2NGExOWJlZDM2MjM3ODFkNGY5NWQmZGxfdG9rZW49NTA3OTUyMjAiLCJ0aW1lc3RhbXAiOiIxNzM0Nzk0Mjc3LjUyNjIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjEzMSBTYWZhcmkvNTM3LjM2IEVkZy85Mi4wLjkwMi42NyIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9VU19TVlJfT09NIiwiaWQiOiJkNDBiYjA1NTM4NjY0YTE5YmVkMzYyMzc4MWQ0Zjk1ZCIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJkNDY4MGUzZS05ZjQ3LTQ4OGUtYTllZC1mOGI4M2E2ZDg0NmYifQ==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.113 --initial-client-data=0x338,0x33c,0x340,0x2f0,0x344,0x74ce2d4c,0x74ce2d58,0x74ce2d64
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5148 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241221151834" --session-guid=bfab6a64-1572-4eb5-bad8-83ca104f2782 --server-tracking-blob=NWI2OGEzZDI0YWY5ZDVjMTRmMzhiMjhhODY0YzQxYjI4MWNiMDg1Nzk5YmY4MTI5MjY1ODg0NDQ3ZWZiYjFhYTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9VU19TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPWQ0MGJiMDU1Mzg2NjRhMTliZWQzNjIzNzgxZDRmOTVkJmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9ZDQwYmIwNTUzODY2NGExOWJlZDM2MjM3ODFkNGY5NWQmZGxfdG9rZW49NTA3OTUyMjAiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MzQ3OTQyNzcuNTI2MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85Mi4wLjQ1MTUuMTMxIFNhZmFyaS81MzcuMzYgRWRnLzkyLjAuOTAyLjY3IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX1VTX1NWUl9PT00iLCJpZCI6ImQ0MGJiMDU1Mzg2NjRhMTliZWQzNjIzNzgxZDRmOTVkIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImQ0NjgwZTNlLTlmNDctNDg4ZS1hOWVkLWY4YjgzYTZkODQ2ZiJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=6009000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.113 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x723a2d4c,0x723a2d58,0x723a2d64
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x7f4f48,0x7f4f58,0x7f4f64
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5544
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\7zSCC6BD2C8\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSCC6BD2C8\setup.exe --server-tracking-blob=NTZhZDhmOGQyNWI5MzRjOWQ0ZDA2ZWViZGU1NGUyMWY0ZDU4M2RiNTM1ZmI5NjZhMWMwMGFjNWMzMWUzNTI2Nzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9VU19TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPWQ0MGJiMDU1Mzg2NjRhMTliZWQzNjIzNzgxZDRmOTVkJmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9ZDQwYmIwNTUzODY2NGExOWJlZDM2MjM3ODFkNGY5NWQmZGxfdG9rZW49NTA3OTUyMjAiLCJ0aW1lc3RhbXAiOiIxNzM0Nzk0Mjc3LjUyNjIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjEzMSBTYWZhcmkvNTM3LjM2IEVkZy85Mi4wLjkwMi42NyIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9VU19TVlJfT09NIiwiaWQiOiJkNDBiYjA1NTM4NjY0YTE5YmVkMzYyMzc4MWQ0Zjk1ZCIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJkNDY4MGUzZS05ZjQ3LTQ4OGUtYTllZC1mOGI4M2E2ZDg0NmYifQ==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\7zSCC6BD2C8\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSCC6BD2C8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.113 --initial-client-data=0x32c,0x330,0x334,0x328,0x338,0x723a2d4c,0x723a2d58,0x723a2d64
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5496
- C:\Users\Admin\Downloads\ExLoader_Installer.exe
  "C:\Users\Admin\Downloads\ExLoader_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5764
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5396
  - - C:\Program Files\ExLoader\ExLoader.exe
      "C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5532
    - - C:\Program Files\ExLoader\againfilters.exe
        
        "C:\Program Files\ExLoader\againfilters.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2264
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command (gwmi Win32_BaseBoard)
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /C C:\Windows\System32\taskkill.exe /f /im cs2.exe
        6⤵
        
        PID:2296
        
        C:\Windows\System32\taskkill.exe
        
        C:\Windows\System32\taskkill.exe /f /im cs2.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /C C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        6⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe
        
        C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1464
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe
        
        "C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe" /Q
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
      C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe --silent --allusers=0 --server-tracking-blob=ZGE3MzdhY2E5MzE4Y2FmNDY5OTNjOTBjYjE1NWE1YzBjYjhlYTk5NmQ3M2UwODYzMTJmNmE0MGMyOTM3Mjk1MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwidGltZXN0YW1wIjoiMTczNDc5NDM5MC43NTQ3IiwidXNlcmFnZW50IjoiRGFydC8zLjUgKGRhcnQ6aW8pIiwidXRtIjp7ImNhbXBhaWduIjoiTkVXX18xODIyNmEiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6IjM5YzU5MzRiLTEyMDAtNGEwMS05ZGQ2LWE2NjNiZDk0YjFmZCJ9
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.109 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x71099d44,0x71099d50,0x71099d5c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3388
      - C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1184 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241221151953" --session-guid=6fe39de4-c58c-4ad0-9b98-de98ee573f44 --server-tracking-blob="MDlmNjg1YWI2M2QyY2JmZjg0ZmYzZDkyMzA4NmJlNWNjZmM2NTc2NWY0Yjg3OTA2MDJlZGJhNTY3NjE4ODMyYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzM0Nzk0MzkwLjc1NDciLCJ1c2VyYWdlbnQiOiJEYXJ0LzMuNSAoZGFydDppbykiLCJ1dG0iOnsiY2FtcGFpZ24iOiJORVdfXzE4MjI2YSIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiMzljNTkzNGItMTIwMC00YTAxLTlkZDYtYTY2M2JkOTRiMWZkIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=D005000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS057395D9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.109 --initial-client-data=0x334,0x338,0x33c,0x304,0x340,0x70659d44,0x70659d50,0x70659d5c
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x11b17a0,0x11b17ac,0x11b17b8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9566315115553889495,3077690141510673119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7560 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExLoader\ExLoader.zip

Filesize
45.4MB

MD5
39106c9f46cb70314865a6465dc7cc0e

SHA1
8655deaf47a7d17489cc6ba59625eadcf77eca4a

SHA256
b2546bbb4a388e34c6e1ce1af2423fdce2e9ffbe55828f45d594a80eeccd95af

SHA512
0ef33513ecd6d893f10b11dd60864651e243d33f73690c40dd700440f016f7bf41ebc5a2a1bea1b65c78c542ec0222591406efdb8ca2da6035a0f4af9b25c96f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
23e967324ae2fa2127c20ea2b163032f

SHA1
82fe5417469df0646fd3161b4f8826b733dd6b2f

SHA256
fdc711357a495aed97b0749ab3e45e099bc9f616e3cb343723135ac3c1c2d26e

SHA512
7b438f89bfadfce2cce70b3867ca9e2bc26bff4df54b4a95bc7228e333d5dda58d91dad2f08077fd5d18237ba970d0bb733789e20fadc88f6acb641ee7bd2292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
727B

MD5
14612d8378b55b69c708b4cc6237eb5a

SHA1
64fb16026524a33ed2012f0c25d587fccfb96cb2

SHA256
81f0d9fa05a2b0ad0b7397f91b9fa15e8480271e996bb54d5e9d4581dd0c79f5

SHA512
1b0b53d2cd8e0dcab1a0fece831a928439afaf1a9ae5cffb84887a57ea365bb9de0751ab0def4ea43e687b2a57281a061db9350bb3fc5249e7ee6ee2c441b544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c8d51e22ed71c880760e47ebf72fe42e

SHA1
6cd318ddaffcf78f07ee5a7cc433e215f3d68251

SHA256
2bf401ec02ddef8f8841c1d9e15801b1073c9f254b00ed79f254978b840624fb

SHA512
d8e49648e971c40bdbf538e0c633336dc7a3ee247edcace34a846f97b87a6b99b60d70741493286a32f08df32e115784366270be17702298a2371d79078bad68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8cbfb2f40be1c023b00c6622dfe0f1a5

SHA1
f5deb0c85b6e2ba9162330587d0929cf809ded8c

SHA256
f97bb033315b3ff608b7e8c6f7ea69cb1056b05f45ee86cc2b4b155ca023a5f5

SHA512
ebc28a07a0ea4aa595b868bbd93cc532e86d7ac18e94d63e73da02a25e67e82ab64b773387a5680eb6bd61da720f38473eb0c4e5ee692398786aa588456124d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
404B

MD5
bc1dbce6c07346086083b2f7a96a9774

SHA1
882b48f0a390fa0d6fb87bb84928c2542b2ed748

SHA256
86925d05dffb9bdc96c853a44886299c8b7f01b37ae89b94c78b0c2e6aaf046f

SHA512
4409ea6ac78fae1673bb8de1df3184c336e5f5147216b2143b1e196e4ebc30232c4918bc484573c1ab3825ee2550e738df949c665ced0fc95be11b37bec94a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
1c88f79dc3eaaecd0a6dbf9c7f022e4d

SHA1
a5d5979262c0e4217e8f1b363d4ad3d189e3b865

SHA256
e5737d38374ccd01365a5aa8bc5d19add7eaace94d48409e64861413bb9d3d7b

SHA512
b0cd35fe159ac1ae29b2e9c7dab6d577a0599cbb27353e1c0bf18f163f9242777b36b33c262e1c5a8c6a1a00b7cd312d966fb91372684e2d9a20191db6bf8718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8978379b8b4dac705f196c82cddb401

SHA1
873169c69e4aaa8c3e1da1c95f3fc6b005f63112

SHA256
83528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa

SHA512
2d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8c74ab5c035388c9f8ca42d04225ed8

SHA1
1bb47394d88b472e3f163c39261a20b7a4aa3dc0

SHA256
ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

SHA512
88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5658ff31d231b00e0c37dc560602b600

SHA1
7372c6eb5d8425372172fde6f9aa7b601415024d

SHA256
e5c7112d6fc42f3e052c399056d0da7345325e8f4690baf3a22c019874afdea1

SHA512
c1b65e8be6e8964baa6bff259322db9f11951f9f1e0099ce3f8344fea36aeb6c19c5b40ee0d864f083a09db3cd47dbe76a1c0904be1cc290d5a1914194b413f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
89KB

MD5
445d7ca13d334a0838cff9d6905c1790

SHA1
5747ad731326797179dac0f4770e09c36a8aa248

SHA256
ac47705cb831ecb13f1c94a76fe667e40af99a5ff58ab9e50a1846ec84ec3b37

SHA512
096f26d1d0cfaca0faeb975c62fd0b820215905a01194f96853d3f050b0c33b1b30c96a006e3eeb2924acf939d8713df98e1a3c0e1d1d9a9a9096a0be421bb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
92a017e584258fb9cb49efcc32ea33a9

SHA1
b643a2f7efd959ce75e38b90e6b2b9283d8a5b22

SHA256
ee75240e6c131dd71d7947015874431bfda6a9fedabc975aab50841429d55d70

SHA512
7114993ad0c04b063a481de6a4905ddf74dadde1f77cc0e431694c4d2c471df3f8bf4b61c0d0a299a470e52f359a90a7dc6f6260f53dbba05fb73cd920e0da89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ac6c525e9ec60e2276ef9700d565babd

SHA1
bbb1930bd243710c42acdb4c22c35d6508b1c988

SHA256
cf46fd46c7ed681d7346239e91173d9c95537b04a579b2572638583b62e753d4

SHA512
97f8fa82946a18c5c7092fcd14451fdb890b163b607cfc0eb4e83d86314d33dfe27b4cdf570a864acbe18709502f03be4783b0c7d04d5781acfa49a5ddf4eb06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
641b64fd4e8cd285b82da81aeb998cc8

SHA1
22993f2b0a5f3b64e28bc4deea815754872e64f7

SHA256
36c91a3622c3bf301d9e3677a22927fd7429cd5b90140a5ce656ab9c3283332c

SHA512
f32d70ed0ba0e40c460eae392677c4801277ee98620ba57485a211b915a47b2dbc03d20f880fbbb133d22e846f52fa21eb386fccfb82ed9e82a213a726eb2b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
cf2185600e7a6bf5b0ae94cc87ee4777

SHA1
e3fb097717b20a69f65859d0f6c19ed8be41ff9b

SHA256
257ffe6a66712e1ec9ddae76d5a334c8e3136091c02b118fc09d35b453a447ef

SHA512
c85c2d60c6acfd6943aca101d5bf7992533003a311a3d105bd41657143dc558c8d2e7445728755feeefbabcf7717fcecba046ec0ae2f5b0d96f27c7605cfd982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8dffe7626b3e2a9b38c58c1ac81533f2

SHA1
f669a2a57ae3cb183e703846d41ea76372b0975f

SHA256
d42a1d8da020181e6554c6b03bf32fdc2e17a7a8e6eeab78e0f41182052d2a2c

SHA512
0e8eae13134b8cb99e2e16abbf4e51d7d2431a8e588cfe34dea777cf372126cd8cc3217ee6a44b650a5a35d61d7ddcf1e9667c9579659c2b5e9c85db25a44581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5896bd.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
739e50bc6138b37a7577f71fb70ed1fa

SHA1
55af2ae8587299b4052ca2ef170f26cfdadf364a

SHA256
18fc31573322e8ab528e2276e3fd1dd210f919e6952ffbfbb5f13897f8ac5c84

SHA512
4d8c71b19ada3ec9b1e39200638046a632c607f2e4673c6ad3c5b1046787bad039a4153c6c4fed974481726a13883a785df00cf0ba9ae5fe98665ae8770f852f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0beae206a415654c9c45f530dfa3a3dd

SHA1
73aca335fe646412d1855dd1651114d3f098bbc1

SHA256
e2a8b9b25d8a9039e4c11835f54423ed1a9553e327084dfdb39ee9e93e93425f

SHA512
11ac6250daaf10b306c50772accf5826a42070207028158df0ef931e5aeaa3f2ccb2d33b5a19eb7a3a1e399f67f539b4dd6771b72c4d8f86eb7d1da91e1c9d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
948873f56a96c772a10cadc7abaadd4e

SHA1
e9eaf513b674050c88f0612b105ad2ae2533e7bc

SHA256
a55031a85f4349a9ef955f7889ec83989cd2a0726b55eb1fc283fd6cd652e331

SHA512
204f2581db2710835a48c56ae1fe58a2cc923eb0f92c8bbf553637aa9fd6a4bce0fe29084489db79d4f4028d8352dc14244fba8b12cbea51b6bc7c5e8c7b86d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
696b851d407be1057c611e811745572a

SHA1
9614f3f51dd41eb6acc1febad66f0efebd24cce5

SHA256
b0db0ce29b5f2a52d7e1cadd0e73331a35499830f4cd77bd2c55f81bbecd2bbe

SHA512
ab3c8843120d9f480513a2103ea1f8abb6ff5fa2358c165f2110d642d5cc7ef4eacd5faae402102d62f1616f6a0c8c87c5ae4189b6e2f1c03d6d995ff85ea19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
330b754117780f83817e0113baff6ef6

SHA1
4d59e4fb47cca8f0d2d69be381ec288c3038bb5b

SHA256
6082a9e7e65ef4c5ddf5e8c757658e9e243574422099084dfd1530cb9ea36add

SHA512
6a65a90ca6d6d207d8dd7eeca9351eccc71e9d2bebd9ff8ecb6a9026c1f1b95981b34d45232940d13410e9a96f5a3c13a46a9a4df33eb392a603a882b818845a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
397e046ca68d3c61779df7e698639c4e

SHA1
a04a1c5f9d4e32c14324af65e11a75e858e5674d

SHA256
010769b4df054606e6fb1016a4662968f5110c6784636dc4d28e0fbe36ff418d

SHA512
a91dc5c1354fa9a78d26b7e325d78d14d479d37aa566a73b4ba16811fb2abdc20a23d46910497152ca99ec67a04d1ae6d96a591c958ff9852ed13f1d9107fe0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7c1900415cce6b55faa9a9d330851345

SHA1
921e3ad2190825b0b4ecf079317498017ef3a2cd

SHA256
53797cd059b446fab91d4ca164a844dfb8ce593d67b01f93e94eb5c6c66f7556

SHA512
777f0bc09c6ae0a33887a57ab2f120d163a5214f28d19c8dd2fabdcd28d84b0c3b40433ea28cacc2c3e2150647dc933f91e63101e9c08402d4e8e2d718ee8511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
671cfbd0275770e681ef4ede37140969

SHA1
ac145dd046e86ab6aff6340664c509c4fd5f1746

SHA256
dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

SHA512
d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
55182d891d98ec9d988cec04bac8752d

SHA1
e18a06e1498ff69c1c2697df7e195cf922a92e01

SHA256
08dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d

SHA512
35b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4729e8a6ebe1b9376f10c7bc2c2264ca

SHA1
294a6251f50e3b526b1f7856984d898ba751e564

SHA256
fa3723d8179e888a402438b0e18c90e8bf452ba86bdbdb0f361b32d0492b4aa1

SHA512
17265f804b9a4ee362d498982a9c042854b7648b084bb6d1726a50aa84b56a1e8f2d40fb1c7430cfe819259f55cf6048416ff10115dbacb7a7797c2a1d7ed476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584282.TMP

Filesize
48B

MD5
9aa67aa9ac79728073c717ee4a117a2a

SHA1
b5da04cc885a800520f33dfdf4d0bcb801150f8e

SHA256
f4ba2b69f1bc4974f1e81c6757fe49c7dbd466c8bfc503ed1d0639a40140a6fb

SHA512
7308ab7d250ab20e6e4b489132749b272b2e1d15f02f1f2b9cf3669342599e5f0128ce936a60374e81961378d4efafd1ec35ed3be1e4d86b0d6b32e7f4bffca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
079ad676af6089c1e23b351aaa8a64f8

SHA1
32837ef8892ac365e25f54298e6058ccfd959b1a

SHA256
c1227e25c21e65d135dbc4cc5b27c5e64e51d594416bbc9127048edcf8dc5ad4

SHA512
3181586a2ae63af37eced08d75b62b19c3fedff4b17fd20ef239d9579688004faf8db38d9cd16d2daaab2460865eadf057da45c1904079a865d8783d8b894105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9d91a93701bc119fc0ca0630fd842244

SHA1
aa314856ea7f10700884a990f775c61dae57f63f

SHA256
1f7327ee4665fa00f8dd7addf2077c1b9e2ef219eddec85e667af3cd5b836f23

SHA512
1326d68ce0bdfee0cedc754a2970379f877059469342d42a0b2a85b6f85660eea86867c4c19acaa0c9cc2ff3bee3a57979714dc16be208f386128454a9c3341d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8bf93bdd03ee2606f639076ef0c63f30

SHA1
55d2701d7c912aaf8a9ad8637278916e90355931

SHA256
75f2c66eaa799f8f79cebdda038917f4ca25f39599995d47d3748b74b99d05db

SHA512
fdf0d3c1efcc6e796fbfced418895bef4acc1a312c1d282d41147263b9aba630fb34a6f0669edc1152805c72c2bcfcaf6002a31d224d60171791d8fc1c40830b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bbba61fb1328de1245d289356abebd65

SHA1
1c7f8f6dbb8e5286e8076dded9a346ac1be09629

SHA256
dc4f7fe24759c971e09f8e4527b88b6875a032d8f68af27bb9253dfa0941515d

SHA512
0e986e5cdbaec87a00df889d6d0a2752972ba6f5f7642dac77b49df762ce6df5a5119fb6f774d9a564321e9965e736054139b497e6d60ddf90271c6e806afc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
80322fef54845ce5ef72d9867f5116e4

SHA1
9e91cf5ac591d1fd751a003c35e6359fa20d442e

SHA256
3b9bf5ba9ff4f9af836d871f77085ea4a58fd4e959f0f9f9e8a668884be388ac

SHA512
a23b1371e4bf1ef10e39ce785ec9a334281a5ba3a8d4e4a9974fc8050fc506c2da778f186c3cc2873e56bf84ba3872042eb5a00f9567bfd1f1f740dee4a10059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
890c1cc4cbb6f318a041bf8ce8d7beb8

SHA1
8339677da5126aca2a5cd499a16c92830b12f272

SHA256
d7576da03d252b75acaf35770ea29fa19166d4053ddaf79ad64fb10ea80dce4e

SHA512
6c494cdcf1e09815470b6c72c93a6bb1147613db8e408c97bdf54b0ae74a5cb4c32f9e076b3d327fa28f97e8f5e2cdb4dfc9795d6e9cc9004bf9660cec5bd133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580c6f.TMP

Filesize
1KB

MD5
bc1a3fd6122de7e8bd5f1f71445d7415

SHA1
c5f35bce6aed8acea4c7c8683d17b7657201803d

SHA256
0581eb5f71e7039f881c9d977ebf187cce549aabeaadeaec13bdc2ad2b0797d8

SHA512
d0e9233e85900bce1d31ddfe502a3227f7d5cceceece2a2958785e58c718ed5f542b33242c6934909f26e40ef38c3cf2cd140ff674b420813cffa3f014faa49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9c3f878-18de-4cc5-a5ee-80d03caf102c.tmp

Filesize
2KB

MD5
a522b27bfbe78813f08d3ad1c303159d

SHA1
0168db233d65e06ea0b4443cdf0d6d5ae46a6651

SHA256
5865d21e719fd6418419d1c1ebe4424a7841ee69324853e84125404051096ca1

SHA512
47a42360d02863146249f48610bd81072892bf59d599ef0742e6d90d499bdf42b96bf71e7e6720e92e8aa666966b4e9260b1240569739ed76f22a506cbd27952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f7e16f857218a19636a36ec2b8ae29a0

SHA1
cf2620859b8d2c663ba0dae7032b9b1d5ec6fe4a

SHA256
3443fae6e779c53d59023d7817c435fa81e2b26b684ce012f0534d886ac29d2a

SHA512
62632145d1ae5be9be89444c6094bf0c41503c946ecac466cba3b7087b16b3e56a38f929202f0435877553da34eb72fae83286652156bd92cc4a005f0c07b0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
857730244f63887c9dbe61556adbfdef

SHA1
701c2d4d7bcd3e1741ad37a9f27870844c09d0b1

SHA256
98b5332848bd40fa3941b7a95ed4ec44070a27a05c8265cc03783e8d740eee68

SHA512
63a5de7f030721afabd4ce488c9ecaf1ca81f17e10eec80bab82cb3702c83c023aec035b45f298067a12a4cb1194f122a023a2030e0c225c17e5a4a354fa8fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
785f59f01cd51d5d7686cbe9f2ec7977

SHA1
be926f9fcafc87e350b959dd1df1e61ecdccaf03

SHA256
96c018344cd13f8b7b959bc83844d9b647f49c9495f5e1ee7637df899b3e9e39

SHA512
b3a26693db2e9375d2d95c84639191df1d1e54cacc60d53f3ebaf589954f8be62f219e217cd66a61cd63589d6e7449ab1c05a54e91fa6a9b9b09a453b5774d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15250d35c51ac53f124353fb7fe5942c

SHA1
33e968406381dbc5bf7a6a45ade04f92b035173e

SHA256
3b50c66f4d40546f23cd38ba8c0ffddb9ca68b114c99995d286d483484abd106

SHA512
9e47874af40c194dc4f4d461480429a960f32d9c526d224e07945caeadb14d9bed241b0597088eaf287cd6a35d072e64fbb598409803ec15a9ab506a1fd5857b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6623fb40e33dafcd12ae303e67514fd2

SHA1
2b08ad1a009ccf87e4e7e3a10a18ee6ac9be5f15

SHA256
95f389f1a61328497d9619d3e3fda07a887f184b0b02394ed2fd0ec4eca8eb59

SHA512
5146026f5a7e060a19cf3dd2b06cef938cd301d23dbdaf8082c2ef93c34c9d73241a03a97e48bd132a9afb47c89b28f99eb9bf3d20e353fa69aef3289c517e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9eece23c0863104b7a48b8fac36bdf20

SHA1
4c16c1f1ef25fa522b4c355528a853f2f86a6736

SHA256
d0bd5363bdc8c8a360db90d485841cc5169cf76f2e40ffd64ef905dff0306b31

SHA512
532524ea200581f39a3872169317dc22b30f6946abb9d3a149da65b1ea50f41cda0051545699665ed464385a20b0223bc0cba6a7c3405e25552dcf56e2d49865

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202412211518341\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412211519531\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B465ED8\setup.exe

Filesize
7.3MB

MD5
5de6d68dc2da990b0b0e8ede5efbcd4c

SHA1
f2f348737bc87041b76bf86db7f90b11e3332f9a

SHA256
afe8e65386fce7385b8c2229b6dfe3da4d021606bfe7c19e982737c95adf68ff

SHA512
21a53d3d8695acceadf13de30b2ef7c9bc8946162ab5c672aa7eb06b432c52eed657448d74c28b842e98ea6215d4715c4baf01efa1a4ec9b1491df956880f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

Filesize
2.1MB

MD5
2abaf17c453a12ca606b26bc68cd372c

SHA1
1be4cbef9f706026338964348575b76c74d54a55

SHA256
514f975b2b5edc2d981df09d7d1f206212e59e04e82225b10f2b481047be08ae

SHA512
34da3b8f751b3075a275b24decb27a3d97a4c4ef53b9a4aa87984a4a6ac675aa0007d793cfd7cbc605de8e96ec83224780dff437b8ab84a65593dbe2a0e38c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2412211518325545148.dll

Filesize
6.8MB

MD5
4b4419a92f8f84d9a5930ca78d06c0f7

SHA1
c6904afd256c36f3c63e61a5874f1e6a6def28e1

SHA256
5bd375c597ab5d88202ff01e9528bb72c0b17a171510a1839708a790828123de

SHA512
7ffefb73a0141a0b1636db96ddcb1d2522005364d1d1e445ebad619c0364bea0c66e2d86c95c5ec9b0599a5cb6cdfeb216b65e346d80918076a436f687b608c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2412211519527582256.dll

Filesize
5.0MB

MD5
0e962dc07246cfd5dce2ca27f89265d9

SHA1
f1edff1c7feb240660f7cf70379d8479979cb53f

SHA256
29e27c8753ff9282fe32e0ff6ec52f6451c1612919acf3d84c90c453c3032485

SHA512
1efed4cfc671fbd961affe0ef0979ced4fd52b994e65cf3fa96e7e2407417ab2bace6319f0d698e2cad6905d1355407e667a93517138addda638fe739a042036

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
184KB

MD5
1156779d6a1fe7eca6f4f70b7e159280

SHA1
df0058c5e0b2b6696d25e49cad5511a9d5fd9f08

SHA256
bab846b6030449f4c37af32c8119ffe595b5a3d0d924d5e99370dd059bac2767

SHA512
addd3a223a48697d9ea9d1e8ade91c70221c71dba64aa6c30877501acf17ab079d49d48fd7cab614df52b0f73eee771974ac64ca8e7a0c1f930a035e0fa7c2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhc2iguj.s0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0652db59b612c8672229009806f5673c.png

Filesize
809KB

MD5
9aaa60a98d05e8e0512a855242a916c2

SHA1
b56f525e4ef9cd75f35b993ac2df527fdb5b5c55

SHA256
71f9cbacec79254dcbad11551d4009a69399c55006cf95aaf61e10ec7e88c287

SHA512
f6aa4110eb6c904b9ca6c6ea34083c01e0466ea050f9e9b968e70e1b21e7e138e9550223478b0c21b50cb0f7ec3d87b88b5ef8a751f5a26a3f146d89fed7ecca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\06863b6c997b988a0b25478954936acd.png

Filesize
1.7MB

MD5
0aacdd690568fc5f112aa989e683744f

SHA1
1178d794f9ffdc70a7d5d72a02685607f7390726

SHA256
0d558fcd28438bb6aa883b7b8915cc2dfb509b7fa015519b892d22bf33c9839f

SHA512
3cde92ded136762b5fc82f082530b03fb3c941ffad2adbb25bc5eaaf4254f89d9a0f5d25daeb128318e06f5b1bce93eb80446a5458fee263a6bbdad207c1611d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0d24dd1f086263a27280394010d07076.png

Filesize
1.1MB

MD5
a924291fb4f8e3ca693fd97723a0b38a

SHA1
6e50dc6904b856453cfe35db4933d26cbdfff3a2

SHA256
8d12cac6dd8da28e270c339325d67a2e3aa3d5fdcb64d1ac0a6698e507573959

SHA512
5464c724977505c0b3b2be2dadcc98d85417766c252826795adcfdcca95acc39263b8dd533b1bc1a0630690769bd4614c037c93d506d76933a10d0a33af3198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0e821c73b0efce519b102c9d41dd7e7e.png

Filesize
956KB

MD5
180ed9f7f1fb062ee013ed2d2db4baf4

SHA1
2fde78fee3388f37e3d963cf377b6cfe05e68719

SHA256
47c0f7eb3b1ccf939eedfad6de69b83efc606498c2a852c4e37e3c481b40890a

SHA512
3bc168dc925a71a05016072a41a9b90260900786cb54842096d29663411d11b46a0e531fa42e48f74b9cc48365597be6bbfc76372b33b85611001af5a58295c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\1540bb22fbba0d16d71111edd8c1b16a.png

Filesize
2.6MB

MD5
44451ff579b31c4b11e89d0166db9e72

SHA1
6c046e595f228912ef3315cb43c2ddbcb68ba34e

SHA256
7425e8850a728819de484fcc6dbcc4b3e19ec0bee6f117822927b12d578344e5

SHA512
451bcc46e4e366d20a3c8be203fcb1609409cd68c951defdadce959b9d2035a692c2b0485d2860a2e8856ebcced6e0b479a65484513ef3601a493fba33661ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\305494b58d8fd53ffeb260a6cb918e1d.png

Filesize
2.9MB

MD5
c06ec4b445ac9eefc20b8c05492d224f

SHA1
a6a8ce50c67f165e3fcd70b7a202bf08ac165ec4

SHA256
9eec25db42ccc4d457ea3ee1ba870d101dae44659797597133331c971f4b4dcb

SHA512
b5da6f5841159803ea2982cb1715582cb6cfe65a35d4af60249595099b36320713d9f8ecc70dfd1291dd5d17bbf8dbe6cffac248fb98acfccbb8f846b6adde15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\30c4239a9080415b9c0c3ee740280c85.png

Filesize
228KB

MD5
2cec65e6907d9409210d1182b1eb96ed

SHA1
2d1051ab31839c0c9ebd64f4ea53155f479686bc

SHA256
0a9b7449915e8e1d79de85d8606ae865149276ceec7ce736a39af96214768876

SHA512
81b1de5595c7e2f312889972a749b84d527d6abb3960d013b5b27362c8394e1fd2eb0e0a6bf8f6014233be8dce3a51f679215367d8e8bdd483720815d5174cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\38007daad993d0a30d44c531b566e801.png

Filesize
517KB

MD5
43ac81d7267e7773bdf4f74886181d87

SHA1
04f95b2646f643bcab06a196a225d780342709de

SHA256
7db600461e0d1a07848c693a64b077bc5897c347a1c08a3c1e6d1d0bd3b51d1d

SHA512
726fbe9d7e8be0374b3e88feed8a1e395ab45263ad88f3dc94e7b4627b83c72cfbada8f1e2e9b8f279ba217b8c49d866bf1d9e43481fdd4a172073bd4d08bf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\47ddf14b8d6f683aa8ba1f577a8adda7.png

Filesize
451KB

MD5
758caed982c894b0f398adb7f659772b

SHA1
6ffe9317dcb094b5106fe135ae4389c535d731e7

SHA256
2010dcbda935556eb53f41a722744c2e23bb50cd05f1d9432e5461045812515c

SHA512
205b15bee0b60f090eb8022174da6991d35c801f3874f500fa64e9959db5136fe0ec25a241d6f5c2bbdff87a5bf68e0f92d8fa8517a37c350735f10ff99e5198

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\506dde2b310688ddc0ac06af6b03f454.png

Filesize
4.3MB

MD5
c2618593cbf3f483954c27734e7c91cc

SHA1
1fae4a3634d7ca370572d045bfe27a3879586a52

SHA256
910a0f8455a3c7a3b460a215892030bc99576800cdb9ba23406a24cf7a05ae60

SHA512
6fecd47b037262e7b5e806b55382bb052c793085f4966c8177bbbbd23bb3213f6aa341726636509550ab281568aec409a558da26d1034226f8f1f82b527313ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\53026486cd0c51ea325a2fdccb4338e0.png

Filesize
200KB

MD5
c750892215c7488392c5829d8a9f6dd5

SHA1
1276ad45446329138880b6cbbe6666b749f411a8

SHA256
74dee0ecb1f53276a7935f6c907cf2ffa987f17fd1eb36ea37765e0d4ad275e4

SHA512
bb2dc331cd4e25d295236645b5e61fc99831c902c5e1d23769984c546c3457c1141fee328b22871f1f3419a8381a60fef868b2f1af7eecfcdfd933bc896b04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\63e78fc5dc38deacb9eb79bd0d516f7e.png

Filesize
4.0MB

MD5
6ea80b93a4e6c61aec20efb67e5d7236

SHA1
40bce81c1e2f13534aabdb77bb1e22bda033947b

SHA256
3910122fe87fb7a96c42f2e057a2c7eabf75e2aa3b0af4dea777b7e2e8371d48

SHA512
608c3187e3ad5ecb9a787a4976f69e46b840e04d900eb9ba9f618155f4eb818321414809af99f917f24b77bf7672ec4ff77543e72f080c3c2de0111ee2a50be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7342b431386b839b9ebd18c5f59182e3.png

Filesize
172KB

MD5
806f6146b3f8970b235fc628ac8b9a0b

SHA1
b20be9f495bf4656f4e9bf5e7f158ad7a91a7611

SHA256
8a7081f2bb71d80ef9e5562753fe74a4d58a850271c9194de3def3bc39ed7ba9

SHA512
30e28e7aeb47cc1010a4cad4a4c564805f74fada30ab190ce6a08f3413e8e89e51329ade2293411b645096656b1ed30067e175975e255e926e10ce5b6d4b5481

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7a0e47e68b4ecc51ec3c2477bbe4c439.png

Filesize
381KB

MD5
faa264ef80599430df4773babbc75cba

SHA1
f4e08ab89fb9364efa3c305584985e4a03c58019

SHA256
fc3f79c76e1051f2305cbdd78bdbccf6bb78144f74146604741de01a35feed05

SHA512
f063bcf41dd1ecf442f5412fd2fe282432bf17437972abc19e5d9bb52f496b425809f3bc1e143dc9a719c3c0b59b6ebbe23eec176fc93d8e7f588e75610019d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\827fde2fc81570ee2382ba66da27961f.png

Filesize
1.6MB

MD5
3b67dc34324a46beeb9c2968f5ed9256

SHA1
5ddc7617f5d09e97b43089dca59e82ed953a259f

SHA256
9997d0b23e68778ffb85b1f9efcf1f9ff9dee287ef44da71bc4688b2a74e927f

SHA512
5def7ae832aa74c44879dc5408f537e8558668fa8cf275fe097d2fad622ede3163885aab3c44771ab98735dce6597d274800571bb1f2ea1787c759e0694762e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\9309939de3a4c0af457dd4683cf2200d.png

Filesize
3.2MB

MD5
a4a74bcd895f249acddf64527cdd453a

SHA1
9c1f9cd0b95fec6fa413440bbdc05fe8f69fc8fb

SHA256
f39b817020862620fbbd846a69b4335fda23b7eecf89d1c6e273a4237df57037

SHA512
0f09252143eddff56d2eebe89be721d73debaa09f987cdcd452160c0f0e8d04e1e87e2c25aa059bb92ff7b19065612fd8d4a738f4d442b45830584920395dc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\9412adb0dff4b919a3ce84d2710b4df8.png

Filesize
682KB

MD5
63a4203739931a9bba55648dede9d96a

SHA1
e606e0d4474cd69f7f696a0dde6770f66f2b0df5

SHA256
4a72e437c33fb86bf1513f1088a14516dea2e2c409126bf760c3365e0e3f411c

SHA512
46798c6d116100d44ce753ab08f704fbb2c0cc83d948560dff9752406855b71cc67f3fd2e5439a3d0e85e248f5a0daa32bd0afe20f7632186b7bd968df5d2867

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\94e0c3edc5ae7af1904de2471036d85e.png

Filesize
1.1MB

MD5
8ff54539db826cd25d454094534963ce

SHA1
8800e2660ee95e850282f2d0c58923bf3fd8134b

SHA256
a13ec435ae469a4c4379c149467de10ad11ab2333e47f1ffb09487caa7230eb2

SHA512
0e71cfcaf06f92c89cdccb44b240da8fab21e1ebe73bc6d401da379b4bf021de4051360e8b8ea979325a6c70c38daa6c56e2051d2b83e233641388d27bea7845

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\959eece144a5a6ce6c53a28f89270564.png

Filesize
377KB

MD5
f4d002685d9a194f1c8e378f31d34a7a

SHA1
eef3de2f726b0f4e5ae2a87406dd867e1c7bc0f6

SHA256
e326c12afae210d30ed9f26cc36d1c4e1e9c06ef820a6b601fce7019b5416385

SHA512
5c03adab5340dfe55b0430e5c9f888725f60f3ede15662c3f40df9fea4ca1526c47f34aaccff85be28c982a05203fd62f33689bd9c21cb829b962c08ef2c2901

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\9706625be9f704a156df8221377b5a36.png

Filesize
132KB

MD5
5b5a500cfd4ddf9f7dfb446668da148d

SHA1
aeb9c24a65235e6e70bc51fd6d12425dcf9cb9c4

SHA256
2622c99d9efe1d6cb35b0212ee7de3de5109d6df9695536bf2d0d52109f956ad

SHA512
59e07c665d648d2554400d16ece7735f7e9f5a13684627fbbcc3a8180acb884429b36ec410087603e9a9dd6580adab1348f589645c541e70492e0f271f98a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a19d01944c9bdb6017cf86da8dcbe8ce.png

Filesize
1.1MB

MD5
f5a4dc1f02c29f80386d970d6cfdff86

SHA1
4ef613d075450c9784a138bd7dfd01463f4685fb

SHA256
18a7ac8e98cb7e7d593438ae1f026922a83ed35f6d70e56ffb76a4159aad6e06

SHA512
be2fa650d577f62dd8d87e3190a68f9a4448d2007df0412f571abdf02fcf3e6f68be78282ceda604cc7719d5d704b93e1834da1cfbac0b6d4b6fa5b714af8e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\ae78148e589ef2b02ced63c2312c6ec6.png

Filesize
2.3MB

MD5
2646bd2443f62807dc1447ef565e9737

SHA1
fc809f906a4621137adb03da680285c3a695720c

SHA256
e58cf57f20957044784d78f35639c2149ea3291d342040588baba080160da01f

SHA512
2ea450a87ae0d98e50eaa0070fc22000281f3fe1c1a98e27fa5db6ce8afc7622d0d1f5ac698b4564d00320dd6dad036523a123110cc753e9d1d90fbba128c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\bc4454a839a50e2b5292e2f08f3a13a6.png

Filesize
296KB

MD5
cdf0f44b9be2be8d98d19d338c0a5b11

SHA1
4008a2006a775605caf245410cf9c346667e024c

SHA256
5b300cc2a308d9f5640d8ac7643d5a5dbbcb025e02f305402cbdc015d2a49781

SHA512
f56ec411ad4f6b6c547f99ccf4b12fdce8207649c48faa7ab37fc9aaa2a5092aa8b093c229467bd09c58c1cc3077c8a0bfb108e3c8eafed2dbbff0a40a1666fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\beaf3e36911441b70927ecb4884d360a.png

Filesize
309KB

MD5
67a50cf02f92461e18046c6c0e66fd25

SHA1
31ea768b478dbcfa03ee7fa8fdcb86a3369065b2

SHA256
a929a07eee2930e6cd8b8d5aa4845d440492b5d3e8c399929341af4cd1a9905f

SHA512
b717e91b12197a5d5e543d5d961b60a25b82a7ab1b46fdb1458590c90cd5c24280d33586764e1eb8ce0e020fb25f348a3cebf1eb849b7668ad8e792dd52d8bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c614181748c588e16a8d306b2b694370.png

Filesize
2.8MB

MD5
2255cd0cd74b77b9f7f9134f8a59a3c8

SHA1
48dcf740911958f1c3aeba96d2e28ee1a33da09f

SHA256
e855ce4d3e79f2e24bb172922d43fcf8856819bec1a19671469a77b3b8957568

SHA512
937096787b1c8dac487677629618cba85f5481b6033b51e4cdfea3c0f7fb05c60051f5074ff82eee63105f90d7a7447357bef9d78724e2db4d39d3045d80dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c6d0c946421426f1600bd303fda9f2e3.png

Filesize
1.7MB

MD5
7be72749b45084375456270c7dd961c0

SHA1
caea2cd6f900d3ff9c57cc1965bc0d774be5d655

SHA256
378890deeae57d3c9873c752227c5e8849cfce41c4e6f42d0264d2a23de11d5e

SHA512
d4b63661120970ec804c84171fc237a5771629897699ac2916e96eabbdd72e4d4043731f84dc797db1c9ccd655edfee542f7f947810cfb4cc8fa38dcbd083a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\d0edd9f750e4f6152ab970a2a1270528.png

Filesize
429KB

MD5
3d66f520496d3a84063dcf3559dcf972

SHA1
e2ffeec965ecb249dd6ac1e45e5a0497adcb7ef2

SHA256
269640c56a282486a33fb40a8e57b078634f20eff22ca331f67fe30ad824a55f

SHA512
e06766b8600d592094b0efed97a5ec1d1451a963b81e913cf794f2f7e99296f16b6acf8e878b0d9be7fbed889b211e936b2546357daa5655b52dcd6d5ee56a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\dc1d9d6c23496fa03e06294579189ec9.png

Filesize
1.0MB

MD5
3afad9fcbd2a754accf46cdedd734556

SHA1
b19d8c500b12ab50c7025c3e263e541959ec5b92

SHA256
520aefa172c7e6b21dff426536fe11f438bef767f483ce26dccd18968b304cdf

SHA512
36ed54986e10a2ad9a910f184afed56998c4e7ee8a2707b432525df8184b5dc0578c9c9cedaf4808678bdb669b6772455ebd33762f380ce93aa21912fc45c463

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\dea813a4baa55dc739687421a5489890.png

Filesize
280KB

MD5
7850120a910edbcfd5362ecfab76fc2e

SHA1
f0945e15a27732b6b917b09300cc6b3267d017ff

SHA256
83afab61dd1e26c7bedcae74fc7128744579d2bfcd576ddee3d42fa0d72987d6

SHA512
78adc040c6e9b2bc2c202ab2e4dc4b9223e7df9e3a1bbcfbc97a227cf4c5b0ba42cbb8b65a1d4e8d497edeede09a1e6d3f57d314a4b4d9da9a1d3cccd396ef5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\df1b848cdf0cb9d3c34393d5672ee8fa.png

Filesize
2.4MB

MD5
228a64476feac8d4cdf54e80502126c2

SHA1
541cb33c8dc0c271dcf064d2bb1a5a09451c6256

SHA256
6e33bf6847f1e78f654477cf9e8cb20ba7b4e1023da2ffff879d87b99eb106c1

SHA512
4baf332d6c36eb1965346db8758532ded2d4191f74c6c0be54422a4c915c9655b831403e38bfac4a0a32f00905e6b6199c542bf8ff80a6ceeb6d0bafa5ae4086

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\df6c9d3b733211c3a6421d5be10ee362.png

Filesize
271KB

MD5
45bec10d0569de6d5d8088ca9f8bcb75

SHA1
8830c5b4a0242a0f34ab8d054df27e57cb45e714

SHA256
d62bc5d430072585637df740cf990449cf6e5aea47dfcab67d4960bee3cf8339

SHA512
2d299b523ada4113126fd45ec948bb314ffde55f03bd862d66de9a702a27cdbfd3c3bb3d96937b7b43743910d76eb17f98e33193473b31816e51879b7c3fd723

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\e83ed9fc67ab81954565a417c596c4ea.png

Filesize
1.5MB

MD5
a3f4e0adcb9bb53eb8a8c2e0cd3b957f

SHA1
1155c4bd814475622fb90443ae61e430ba9963ba

SHA256
0104cd8aa64f09635834a3c7440a6684e5344b82b883d2007014c60ce35c03e2

SHA512
449a42b4cf84597ab0b108e9a4ae83e717bc796985e7dffa8ecdea770fb72eee25ada4b2de0e41c547a11a0991eec47363f99227e14c9ddc24b249a64282fcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\eb316ca9a4e2edcdc1881302277d7d5d.png

Filesize
378KB

MD5
d831293ccb3a1ffdf88639b6c180180f

SHA1
be2a0f420fa7b61053f16b59d0a63108e26e943a

SHA256
6f00699629bda1aabed500c80e95d99c93d6038d2e88459e86f023cb1bd219d5

SHA512
52028163d22816bc0a82a81654cba38128c1cdb58808a74f1e55d16bdb4143ac3e7db036cabb67c55bde705127db527e4848fc537166c904bcf89e32bb24522e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\f3d3a164b4e4f4b3443d21469f3a7b4f.png

Filesize
283KB

MD5
78f4e28a3cf5170ed6d78f3943d98ac3

SHA1
24d2f2d73c715d978b7f656dcf982d30df53afb3

SHA256
bc7e7a2c7842c6aaa6531f84b91edfcc26a38aab1173c69e8b7ca2a5eb2b1ff9

SHA512
53b73968757138f98b0c7378fb0cbbf74bc7e870ee7cab867eb4965abfcf5f4d3aa7a68d6bc6c12d7c991f9f3513493d13ab72556a9d3cf77e80bbdddcf047d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\fcf071cb7a9868fd1477405cfc31f0f1.png

Filesize
193KB

MD5
1be4d35bb03410dc5814a391fb39093a

SHA1
364ba729f6a17b7196efe354c7f9ecfa70db81d4

SHA256
4282e98f7e8ba8d9f133f4c7d5d1f730263c565cdc4270e00ea9dc637761e584

SHA512
69adb08c57d0ffe2320a7c78d8dd3b7e18ef5aa7df7351b339f4fcebcd2f435070a32fc44f7de4668defb435d5107cdbc7d43fc8a9183dbc6a99e2b065557f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\fd7af4087d25fb9733b803ef1828db72.png

Filesize
302KB

MD5
78f8d650520bfa8699bf5bbedf0c45bc

SHA1
b0b25d6923fd39ced207b76eb9319bda3aeb70bc

SHA256
ad4b286b1760785ed35dda4a909242f2f218598bb3552391ee60821106c42415

SHA512
fe76107433dc1890c7e6968e7afb5213a1294d567c47cd9550589307bf053518d6dbe5266e962fc044eeb033b39aa4754dd9c9afb83cdd75a90f3b2286f5f34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera_installer_ui.lck

Filesize
4B

MD5
5615f28375e277c8428e36c6908fcc36

SHA1
c6da65040d5e897dec24da51e10560bafdda807b

SHA256
23971a5c4ae7facca9b4cf5153fa76d9f082f233bb432d18cfb7593ee40208a8

SHA512
ba99e31d008dd151e4a9747b57c922fd605506cd8049f4a16f6b7aff66399a5e73f63f8fb0072fcdff120b916b1c6eb410694761114c7f8e0b8d4e40b0afc150

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
94ad90142007213289f3aa06bec75523

SHA1
2ec6e878a479f7d960f27b346dbc41d61b6f2a36

SHA256
4d95e14987be2efc60bb194c4b602bd20633469c72fca1567204a7d0d488ccd0

SHA512
f6394562e04cdceb102716ecaa3fec06168049ec93de48a0a89cf563d0b6fbc00e0fc8bd309a0c2497e8afa181f59deb57139adf283df238a9cb6a9e82489659

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
46e28bd7aeb8c4c65e3ba88c043ca29e

SHA1
80e2a6242e249da5646766c7f3e56ad4c25ba2dc

SHA256
7a66510047c19c4401f1328f9d6b83392d4673d4045de09b8e49e9020415e87d

SHA512
de62f79f73f6edf034116b6b00f28e9d3b7e6fab4ad49e7b0ad580c4e51c115734586ff77555eb4105dbec8da4babd2aa73040b484a5c5f0a1547524826b73ea

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
be2f5f1dae3c4c29bc1f8e9ffcb71e13

SHA1
6c801363769b14605f060cf0f6041d44aa3652c6

SHA256
ee6425f5cb15b6bb7ceca0cadae409e3898882facb1ad21a5ec77c600cca0571

SHA512
7fdc051dbb28d9ff9abcd3bdd08a1f8398aa7bf839f279549549dae590ca18421ab5c6993af784525f4a332dcf92e1b5d26bf16b3c94de55f7373a451534fc5a

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\0.svg

Filesize
1KB

MD5
3c82bc5493a92aebc9064551ea8d38ac

SHA1
b1019e3fe4397f7215ed8af2c0914159e986fbb2

SHA256
6046c1e9b8fc8cada4c4e063b031e164163e7c5723afd8c37d7df6c3054e1e7c

SHA512
126c5773e2192629eee40a611997f01c14bf598215d6ed33488b9d934ac41acfa83b99d7f373e0726a459dfee950011a0c24f97fbc600f5f96dfbb16ac7d9bb9

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\game_icons.zip

Filesize
131KB

MD5
4239bfa9d46d981fb478a7814f6bcfcb

SHA1
47ca4d235ca49c4cbdfc3bfa7bf640dcb3588d3f

SHA256
1960622c2e2992eba38e38e92ee1e1f9276676be60903c05d7405b342c2f99a8

SHA512
49c2f85b016f9ded1a7eb60052af76e759aa64b8b2d083987bec5cb78dc73d65e0d6828b61099d26ed1a43f9d6855299f7fc30768dea92f77af850d482fa336f

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
1KB

MD5
04a0344e01e475de4d3428b2e718bca3

SHA1
2435004cab262078a86148f5e036ddb8014f7df9

SHA256
abc9d2a4e65896bf75266b9c0afd19b8f587e108cce3a8c5a0798ee8e62dc78f

SHA512
0823f314b07d1e41481465f97896794530b417b5fb304298701304459385d40f4c158bd7fe297b4f21cfff6b71890c33de30e3d10aa3c4eea4c9ac5a4f7f423a

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
3KB

MD5
e2db52d5c9c9b2491f982d78e6fd062d

SHA1
9325e497e91139ba1b57354a07656a3c8e9a8e2f

SHA256
6a0629af2f96323b916c9ec9923684f273a65e2defe5ffb478eb9dc598329544

SHA512
b39f5e468b0acb1c338641a8507f9f35e5982db51985e8100814c7e92f82fc206852a3aa880b953f5b46d4a11c5ff7f71d962946c688d113682f11df912234dd

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
5KB

MD5
6d4a8488d483db7c5b4462f7238eb1da

SHA1
3c7040dd9a45e5f7f59badb0722f70cba6c2a819

SHA256
2e78a2d3509bb0f14132da5eddf8f76e886e8244bb06773b2d76c9e3cffc173a

SHA512
ea5b5dba3f156c282687bba4c99b41ce715a39f129c6a76225bfa9d2683b7943d9149f9afe938118489334b31ab253eecb84b880c4166cd36db0eb8438a3a42e

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
5KB

MD5
9460f6bb71077f9de1c63cedf32680af

SHA1
27d44e7a3264a48aaa55627f5ffdfb53b31657bf

SHA256
5429a76da2fe17a85ce86fa143e32a76b3c3c80fb1ed74652a7e8c0c3afe0a3b

SHA512
d6f4cc52724e4414f8c67eb727cf5eb3a72d8014b67610990b2866dfd11138f83028c232c9c32b753c7e87a6a39b0fed751e85822ff4dcaad874541e3b3521a5

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\modifications\cache_data.json

Filesize
1.7MB

MD5
29d85a1349d2da3ac1688cf7638f19b9

SHA1
0f4e001129fdf63bb8510c82fd63537dd2db15bb

SHA256
622f8d7b985c49d2549e33787307c62de52b309d2c5e844c3ba6d1dcca260692

SHA512
349d233f3087d3a5f4178a7e21161561958a850d6d15355f049243e2d8ac99a9eb42c7d1388eef44b30aa7da72bbd26c4dbfdf8d6c387d7a5baced2453f3c6b2

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
229B

MD5
e08d9bb806d14c2b4b17d2b0122ac2fb

SHA1
9344e27d8616f5cbfd2149ed53de802dd0719615

SHA256
2a867300c60f91e9b33ddeca2448dc820d0ca84b6ed3998c787aebdb0c5411b9

SHA512
22ceb0200f473ba7e2be96702a5537c01fd57b3ac97a93c6abbf9eb3e01f4ae96cc251f6b0e7fdf5e5009fd7d193e41fc029936dac0d71d2ae9dcd8e3e553715

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
371B

MD5
1de091c026180b34b2cb65be161ed911

SHA1
59349d61c9b2cd425bdf8a8d0ba7e866eb180b95

SHA256
0a151493949adc2614ce30ba4f7d39aaf515a806ad4c464f8f1540d9f58274ac

SHA512
20858465108090479d75e57f50ee87f3853458c2a90603460b308e2028a642598f7bbf4638b59f93ed4448f9216a480877a076d289ccf5e25ec1f139adbf2ffd

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
895B

MD5
10d3bf8eb08653e95b583727791dc164

SHA1
747eaeff8e5ca0fa0333624abb15d2d48978adbe

SHA256
884abaa8c38c321cd14892526ffd5ab9fe71a533dfa8795458f7a9731b562790

SHA512
fe87edd841d92b4eb4d90f15ebe06604f8cb928e4bb1c832924e55575271025bad1de2138ccb8589ed446e4a44a756a658cc71df6b4958d139313db470f2c090

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
1KB

MD5
c23ad69bce538c9f08bd4db06531b716

SHA1
54ac7cdd5cb3ae8a74b1d8e792686a3972278372

SHA256
fa8452de1dda08aecca3cb1546e0a6190552546710629512d5c769dc8ab80b24

SHA512
650cc47b009078c7f69967eb0f894e30792ea3471809edb61a9411c3d7e1e1e081374a42818549f9a69e8c70071498cf737da1d33ca3c48e3297fd16abc95a23

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
269B

MD5
faefc21fc67319196617e459fdeabef7

SHA1
c34516140aa658500aa22dfab61076b4b22a8c71

SHA256
4fbce39f832c081abebae21871bca270a882551df1a886b1a0be3e4717c127b7

SHA512
1e9f99d57c53033f685fb8b30120b427dbe84eb6017e00ad487475616459e8091a8f3a089d7f127d28364502ab033e0855489c5dcc92021fc205d7d864c7db88

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
3.8MB

MD5
53a979508d37306e043a9d1524ef7c1f

SHA1
9dda56a2f6217129c5c0f407368d9662dc660e80

SHA256
aa10313daf8407005acb549bfc21ebb795a1889c5278f5d6fa976d0d9a8ef9a6

SHA512
dd33fe0194d0fe7e7327ebc816ac2a03fca5c94b2f6e2653352739ea2c2717337ee5fbb6fec6035d2849135cec229168086bab52fc1703262426c31074f6259a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 665542.crdownload

Filesize
26.4MB

MD5
2d3bb824bab42e39818e768c1fcc0e43

SHA1
09bc8adef1d4444c8d163a768f419f12f733b9a1

SHA256
c8b7de3ce429150617f25529aa436d28497b642925b7ea384c30f529ce8bc23b

SHA512
3cbe7b4c7e38d2a6095e2e471308cd6cc5f185dcf45d96a5a28c22d946606386d7da411150b9fc9a9a8bb66c204693025e346102b06780a4b2dd101ab7c5eff0

Download Submit
C:\Windows\Logs\DXError.log

Filesize
361B

MD5
b807cb7297205326efc358d5170134e7

SHA1
8e870bd72b18d8faa9a729b55ef834db8d85b765

SHA256
af2947b3f7886e0265345a97e495d55577ffdd8ef5ec730c7dd25b455372bb36

SHA512
f6a99f51e48654003d822dc9c1743549542555f55b6349fdc9f756e970ac47821b876c49c0fd6c03d2cfbab424f9a19669ee36ad02f3b6be23bcf7cf95059e53

Download Submit
C:\Windows\Logs\DXError.log

Filesize
722B

MD5
2700c8d7988f2f673b70bec62384be63

SHA1
b468bd2fead924bd35b54ad52c0aa517d43b215f

SHA256
04788151854af20e15059d00a186ba8138474584630f1721acd29fb4825054eb

SHA512
f5232e53747868d05f1c2cbc3b7232dc15b133a4a1e73ce0127f1668e32865a7bcbdc007f6c0e141eff001b6af15084de630a1b4c7ec04987c12c92ec7ebfeae

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
1KB

MD5
c60254d1a658c1634d8616dd7bc7330d

SHA1
8c82ab43f864e67a1feca90eb3622a1254be3a7f

SHA256
98ec195d5b18bf1b8ac65e777bfb37fa2db280e03eea79c88830a94e0f1cf6f3

SHA512
c9cbff3ccfcf28c0ec3e7c95459024c86e71a73e193c433d89d36fadd5be88756c2967baa0b410235df536eef8ba52b1b3bc3fd22638174800889a0376767dbf

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
1KB

MD5
e737b55ac96b185d285e88645943d480

SHA1
364200e2f5b2581f343e8a51d3168a5a66728b8b

SHA256
922b4d7a2bacef335502d7a54173fbcce1fe34d9f85a471b1476387bcded395a

SHA512
6a1b424651046378f74c546759ca0715fa0641310382c11791ac8479219e1156f4e3b2e5bde7b2786e0a972b3883b5d03fd479b98f3b29e049d12438593d99eb

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
2KB

MD5
ceedf1e13c75ede93789e41cc6cbd843

SHA1
1e1bccfaab9d9fa9f404c1ce12a84b5fe3aacf6c

SHA256
0c5196ee5dbcb17a0efc82415b36ea32b7a84073541874f6d35354c15b996a21

SHA512
61b8569a6048045df3482cd6ce768422c615e824a5bfaddd2203914b6d313bb6747271fbf4d18ceda35e918ed2f3d0003c5962650791ee3f0f852d52e0345566

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
3KB

MD5
a5fb1ab1b0840649f67c19a307d3a611

SHA1
ee8f3ea4334381648c8c72bdac9b6475ff610b2c

SHA256
490f3c20a8bcb6bcf4227c202dd298d917d8b430003841077a10772cd900011e

SHA512
5a515be2dc7d8f3f24573ad101c93f04af073a84bf8816cdbcac0f3caa4cf3404829f70f9275a2723c1c908da39cd7e110424f6ac130d977827c200f7dd05ba4

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
4KB

MD5
d708073fbdfaa43f435bfa62286b5c77

SHA1
5be11eb6b853eb4a5b9692314ef379b8d1ed4468

SHA256
5d4856ce2071d7ea9547586d2fca291f7328cfc0aae45a3ddfaf0c1a05a6e72a

SHA512
28eae6117557d9bd276f1af26b88f11d555ef9f23e8725fe5b05895a00093c5199090ba89adc85f2faa0dd22f474432c6febcc48f814ca5df6926758e0f15f00

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
111B

MD5
d6f81567baaf05b557d9bc6c348cb5f1

SHA1
0c840165fcd34d996c85b6b44b00c7206bf772b6

SHA256
e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359

SHA512
09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
137B

MD5
cec960807fa5bec11ad4a31c3512da4d

SHA1
a3ac60a3518747d3bbead5edfd17e155cf7ce9f7

SHA256
f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48

SHA512
2da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec

Download Submit
C:\Windows\msdownld.tmp\AS5B2444.tmp\dxupdate.cab

Filesize
98KB

MD5
4afd7f5c0574a0efd163740ecb142011

SHA1
3ebca5343804fe94d50026da91647442da084302

SHA256
6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2

SHA512
6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

Download Submit
memory/2264-2493-0x00007FF9498A0000-0x00007FF94B9A8000-memory.dmp

Filesize
33.0MB

Download
memory/5396-1992-0x0000019BB22B0000-0x0000019BB22D2000-memory.dmp

Filesize
136KB

Download
memory/5532-2082-0x00007FF9498A0000-0x00007FF94B9A8000-memory.dmp

Filesize
33.0MB

Download
memory/5532-2024-0x00000268EAF90000-0x00000268EAF91000-memory.dmp

Filesize
4KB

Download
memory/5532-2025-0x00000268EB030000-0x00000268EBE7D000-memory.dmp

Filesize
14.3MB

Download
memory/5532-2028-0x00000268EAFA0000-0x00000268EAFA1000-memory.dmp

Filesize
4KB

Download
memory/5532-2026-0x00000268EB030000-0x00000268EBE7D000-memory.dmp

Filesize
14.3MB

Download
memory/5532-2027-0x00000268EB030000-0x00000268EBE7D000-memory.dmp

Filesize
14.3MB

Download
memory/5532-2129-0x00007FF9498A0000-0x00007FF94B9A8000-memory.dmp

Filesize
33.0MB

Download
memory/5764-1635-0x000001B6C13E0000-0x000001B6C13E1000-memory.dmp

Filesize
4KB

Download
memory/5764-1636-0x000001B6C3F60000-0x000001B6C4D31000-memory.dmp

Filesize
13.8MB

Download
memory/5764-1639-0x000001B6C13F0000-0x000001B6C13F1000-memory.dmp

Filesize
4KB

Download
memory/5764-1637-0x000001B6C3F60000-0x000001B6C4D31000-memory.dmp

Filesize
13.8MB

Download
memory/5764-1638-0x000001B6C3F60000-0x000001B6C4D31000-memory.dmp

Filesize
13.8MB

Download