strela | 14636b7fc900e2be3fee5abb409e3b7a3cdf5a99107bf6d7dcbcce4b26ee0d34

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
16/02/2025, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eagleget-2-1-6-50.exe
Size

10.0MB
MD5

e96dd956bc2159ff1d073876ef5d4e58
SHA1

a0da0d7c8394d646eb5a0f64be14397235f22704
SHA256

14636b7fc900e2be3fee5abb409e3b7a3cdf5a99107bf6d7dcbcce4b26ee0d34
SHA512

c2334b9c666174d38213c1cd84a8f2f9fbfbeea8e18f7fdf7e0b6bab70377e7d1a8f01fe45688bcbfcc2bb85933aa97a829c1feb94ede874b1426dd320080806
SSDEEP

196608:Mem6/gb2N3s9m35DylYLan8CmD5zpX9o38vR/dnG0sb9iMly9ssSGz8EQgCPhtv:MelYyVYm3RLaQ5zpNq8NdnExiMw+P4QD

Score

10^/10

strela adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ce6-10.dat	family_strela

Strela family
strela
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Downloads MZ/PE file 1 IoCs

flow	pid	Process
125	4232	Process not Found

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\eagleGet.sys	EGMonitor.exe
File opened for modification	C:\Windows\system32\drivers\eagleGet.sys	EGMonitor.exe
File created	C:\Windows\system32\drivers\eagleGet.update	EGMonitor.exe
File created	C:\Windows\system32\drivers\eagleGet.sys	EGMonitor.exe
File created	C:\Windows\system32\drivers\eagleGet.sys	EGMonitor.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eagleGet\ImagePath = "System32\\Drivers\\eagleGet.sys"	EGMonitor.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	eagleget-2-1-6-50.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	net_updater32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	EagleGet.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 11 IoCs

pid	Process
3336	eagleget-2-1-6-50.tmp
4432	net_updater32.exe
4356	test_wpf.exe
528	net_updater32.exe
720	EGMonitor.exe
2592	EGMonitor.exe
4144	EGMonitor.exe
3588	EGMonitor.exe
4672	EagleGet.exe
1008	test_wpf.exe
2700	EGMonitor.exe

Loads dropped DLL 46 IoCs

pid	Process
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
4732	regsvr32.exe
4732	regsvr32.exe
4896	regsvr32.exe
2588	regsvr32.exe
2588	regsvr32.exe
4432	net_updater32.exe
4432	net_updater32.exe
4432	net_updater32.exe
4432	net_updater32.exe
4432	net_updater32.exe
528	net_updater32.exe
720	EGMonitor.exe
720	EGMonitor.exe
2592	EGMonitor.exe
2592	EGMonitor.exe
4144	EGMonitor.exe
4144	EGMonitor.exe
3588	EGMonitor.exe
3588	EGMonitor.exe
3588	EGMonitor.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe
2700	EGMonitor.exe
2700	EGMonitor.exe
2700	EGMonitor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E871FF8-029C-4732-8AA7-39E3D3872057}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E871FF8-029C-4732-8AA7-39E3D3872057}\ = "bteagleget.com"	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EagleGet\is-51JTK.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_04_01_init_dialog_1.172.289.sent	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\eagleSniffer.dll	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\lum_sdk32_clr.dll	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\luminati\lum_sdk_install_id	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\luminati\20250216_152826_04_06_choose_peer_1.172.289.log	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\sqlite3.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-NC1HM.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\addon\is-1LC9D.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_04_03_setup_dialog_1.172.289.sent	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\unins000.dat	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\luminati\lum_sdk_exception.dmp	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\kbasnthasciateuhant98437uau	EagleGet.exe
File created	C:\Program Files (x86)\EagleGet\is-NMSFM.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\20250216_152828_unhandled_exception_1.172.289.log	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\is-G8N80.tmp	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\luminati\lum_sdk_install_id	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\IEGraberBHO.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\firefox.json	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\test_wpf.exe	EagleGet.exe
File created	C:\Program Files (x86)\EagleGet\is-FMQHU.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-3URS6.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\20250216_152825_choice_change_1.172.289.log	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\luminati\lum_sdk.log	EagleGet.exe
File opened for modification	C:\Program Files (x86)\Common Files\EagleGet\util.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-26NB3.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\lum_sdk32_clr.dll	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\dl.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_02_sent_cleanup_1.172.289.sent	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\luminati\perr_04_07_notify_dialog_1.172.289.sent	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\com.eagleget.chrome_extension.json	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\CrashRpt.dll	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\libcurl.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-0SO44.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_03_is_admin_1.172.289.sent	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\proxy.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_04_05_show_dialog_1.172.289.sent	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\luminati\20250216_152826_user_chose_peer_1.172.289.log	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\is-MHV7U.tmp	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\msvcr120.dll	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\luminati\perr_04_06_choose_peer_1.172.289.sent	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet\test_wpf.exe	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\test_wpf.exe	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\is-ROH9S.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-CMIVO.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-TDG8I.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-S3TKA.tmp	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\ssleay32.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-9CEFK.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-0N5TO.tmp	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\sslQuery.dll	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\EGMonitor.exe	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\zlib.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-CGE6J.tmp	eagleget-2-1-6-50.tmp
File opened for modification	C:\Program Files (x86)\EagleGet\CallbackCtrl.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-NQN6B.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\perr_13_supported_1.172.289.sent	net_updater32.exe
File opened for modification	C:\Program Files (x86)\EagleGet	EagleGet.exe
File opened for modification	C:\Program Files (x86)\EagleGet\libgcc_s_dw2-1.dll	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-TIL0A.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\is-5HNUN.tmp	eagleget-2-1-6-50.tmp
File created	C:\Program Files (x86)\EagleGet\luminati\20250216_152826_popup_close_1.172.289.log	net_updater32.exe
File created	C:\Program Files (x86)\EagleGet\lum_sdk_session_id	net_updater32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4536	528	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net_updater32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net_updater32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EagleGet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eagleget-2-1-6-50.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eagleget-2-1-6-50.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3188	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4684	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\InprocServer32\ = "C:\\Program Files (x86)\\EagleGet\\eagleSniffer.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with EagleGet\ = "res://C:\\Program Files (x86)\\EagleGet\\IEGraberBHO.dll/202"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with EagleGet\Contexts = "243"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with EagleGet	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with EagleGet\Contexts = "34"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Internet Explorer\Main\	eagleget-2-1-6-50.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "ye"	eagleget-2-1-6-50.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{13D6E221-D1CC-4cc1-8410-66CD89818A6F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\ = "Customdown Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\TypeLib\ = "{1FE29BBF-5745-45a1-B1E7-2DFD97926CEF}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with EagleGet	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{13D6E221-D1CC-4cc1-8410-66CD89818A6F}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with EagleGet\ = "res://C:\\Program Files (x86)\\EagleGet\\IEGraberBHO.dll/201"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D700DDC2-DA60-4312-B1CD-8944E93C3EF6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.Customdown\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.Customdown\CurVer\ = "IEGrab.Customdown.1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\AppID\{B415CD14-B45D-4BCA-B552-B06175C38606}\ = "FireBreathWin"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\TypeLib\{5BF350E6-763C-5778-8960-BF006540067D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{6BCF4892-5428-53D9-A1D9-56D55AEF29AB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{46B30FC5-D638-4323-ACA1-EA7541FA65F1}\1.0\ = "IEGraberBHO 1.0 ÀàÐÍ¿â"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\VersionIndependentProgID\ = "IEGrab.Customdown"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\TypeLib\{5BF350E6-763C-5778-8960-BF006540067D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97C13EA5-DECA-4355-B789-7788B7EB154A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.EGet.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FE29BBF-5745-45A1-B1E7-2DFD97926CEF}\1.0\0\win32\ = "C:\\Program Files (x86)\\EagleGet\\eagleSniffer.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\AppID\{B415CD14-B45D-4BCA-B552-B06175C38606}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\Interface\{6BCF4892-5428-53D9-A1D9-56D55AEF29AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FE29BBF-5745-45A1-B1E7-2DFD97926CEF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FE29BBF-5745-45A1-B1E7-2DFD97926CEF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\AppID\npEagleGet32.dll\AppID = "{B415CD14-B45D-4BCA-B552-B06175C38606}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}\ = "IFBControl"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\Interface\{47A50A6B-EB5E-5DB3-8955-89A3AC3D64F9}\TypeLib\ = "{5BF350E6-763C-5778-8960-BF006540067D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{46B30FC5-D638-4323-ACA1-EA7541FA65F1}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.EGet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13D6E221-D1CC-4cc1-8410-66CD89818A6F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FE29BBF-5745-45A1-B1E7-2DFD97926CEF}\1.0\ = "iegrab 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EFCB4C-66F9-475C-97FB-03687DAB0EB3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C13EA5-DECA-4355-B789-7788B7EB154A}\ = "IEGet"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}\ = "IFBControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D700DDC2-DA60-4312-B1CD-8944E93C3EF6}\TypeLib\ = "{46B30FC5-D638-4323-ACA1-EA7541FA65F1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.EGet.1\ = "EGet Class"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\EagleGet.EagleGet32\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{47A50A6B-EB5E-5DB3-8955-89A3AC3D64F9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E871FF8-029C-4732-8AA7-39E3D3872057}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\AppID = "{B415CD14-B45D-4BCA-B552-B06175C38606}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\InprocServer32\ = "C:\\Program Files (x86)\\EagleGet\\npEagleget.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FBDC47F7-F27C-463B-9976-16683FBEDED5}\ = "IEGraberBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D700DDC2-DA60-4312-B1CD-8944E93C3EF6}\ = "EagleGet Class"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\Version	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\TypeLib\{5BF350E6-763C-5778-8960-BF006540067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\EagleGet\\npEagleget.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.Customdown.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{47A50A6B-EB5E-5DB3-8955-89A3AC3D64F9}\ = "IFBComJavascriptObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EFCB4C-66F9-475C-97FB-03687DAB0EB3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{46B30FC5-D638-4323-ACA1-EA7541FA65F1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.EGet\CurVer\ = "IEGrab.EGet.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Interface\{E22ABA47-7A14-5B5E-941A-AAEEFCEE01F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\EagleGet.EagleGet32\ = "EagleGet Free Downloader Plugin"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\TypeLib\{5BF350E6-763C-5778-8960-BF006540067D}\1.0\ = "EagleGet32 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGraberBHO.EagleGet.1\CLSID\ = "{D700DDC2-DA60-4312-B1CD-8944E93C3EF6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IEGraberBHO.DLL\AppID = "{FBDC47F7-F27C-463B-9976-16683FBEDED5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E871FF8-029C-4732-8AA7-39E3D3872057}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEGrab.Customdown\ = "Customdown Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C13EA5-DECA-4355-B789-7788B7EB154A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E871FF8-029C-4732-8AA7-39E3D3872057}\VersionIndependentProgID\ = "IEGrab.EGet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97C13EA5-DECA-4355-B789-7788B7EB154A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\CLSID\{9843d1f9-641f-5b9a-bc7c-f59bba9a8f25}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D700DDC2-DA60-4312-B1CD-8944E93C3EF6}\ProgID\ = "IEGraberBHO.EagleGet.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EFCB4C-66F9-475C-97FB-03687DAB0EB3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DA3D5E0-7F3A-421B-8FA8-AAD6C3385583}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\MIME\Database\Content Type\application/x-eagleget\Extension	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\WOW6432Node\Interface\{47A50A6B-EB5E-5DB3-8955-89A3AC3D64F9}	regsvr32.exe

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
3336	eagleget-2-1-6-50.tmp
4432	net_updater32.exe
4432	net_updater32.exe
4432	net_updater32.exe
4536	msedge.exe
4536	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
4672	EagleGet.exe
4672	EagleGet.exe
4716	identity_helper.exe
4716	identity_helper.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	3336	eagleget-2-1-6-50.tmp
Token: SeDebugPrivilege	4432	net_updater32.exe
Token: SeDebugPrivilege	4144	EGMonitor.exe
Token: SeDebugPrivilege	4672	EagleGet.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3336	eagleget-2-1-6-50.tmp
4672	EagleGet.exe
4672	EagleGet.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
4672	EagleGet.exe
4672	EagleGet.exe
4672	EagleGet.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4672	EagleGet.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
4672	EagleGet.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4672	EagleGet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3336	2844	eagleget-2-1-6-50.exe	86
PID 2844 wrote to memory of 3336	2844	eagleget-2-1-6-50.exe	86
PID 2844 wrote to memory of 3336	2844	eagleget-2-1-6-50.exe	86
PID 3336 wrote to memory of 4684	3336	eagleget-2-1-6-50.tmp	90
PID 3336 wrote to memory of 4684	3336	eagleget-2-1-6-50.tmp	90
PID 3336 wrote to memory of 4684	3336	eagleget-2-1-6-50.tmp	90
PID 3336 wrote to memory of 4732	3336	eagleget-2-1-6-50.tmp	94
PID 3336 wrote to memory of 4732	3336	eagleget-2-1-6-50.tmp	94
PID 3336 wrote to memory of 4732	3336	eagleget-2-1-6-50.tmp	94
PID 3336 wrote to memory of 4896	3336	eagleget-2-1-6-50.tmp	95
PID 3336 wrote to memory of 4896	3336	eagleget-2-1-6-50.tmp	95
PID 3336 wrote to memory of 4896	3336	eagleget-2-1-6-50.tmp	95
PID 3336 wrote to memory of 2588	3336	eagleget-2-1-6-50.tmp	96
PID 3336 wrote to memory of 2588	3336	eagleget-2-1-6-50.tmp	96
PID 3336 wrote to memory of 2588	3336	eagleget-2-1-6-50.tmp	96
PID 3336 wrote to memory of 4432	3336	eagleget-2-1-6-50.tmp	98
PID 3336 wrote to memory of 4432	3336	eagleget-2-1-6-50.tmp	98
PID 3336 wrote to memory of 4432	3336	eagleget-2-1-6-50.tmp	98
PID 4432 wrote to memory of 4356	4432	net_updater32.exe	101
PID 4432 wrote to memory of 4356	4432	net_updater32.exe	101
PID 4432 wrote to memory of 4356	4432	net_updater32.exe	101
PID 4432 wrote to memory of 528	4432	net_updater32.exe	103
PID 4432 wrote to memory of 528	4432	net_updater32.exe	103
PID 4432 wrote to memory of 528	4432	net_updater32.exe	103
PID 3336 wrote to memory of 720	3336	eagleget-2-1-6-50.tmp	108
PID 3336 wrote to memory of 720	3336	eagleget-2-1-6-50.tmp	108
PID 3336 wrote to memory of 720	3336	eagleget-2-1-6-50.tmp	108
PID 3336 wrote to memory of 2592	3336	eagleget-2-1-6-50.tmp	113
PID 3336 wrote to memory of 2592	3336	eagleget-2-1-6-50.tmp	113
PID 3336 wrote to memory of 2592	3336	eagleget-2-1-6-50.tmp	113
PID 4144 wrote to memory of 3588	4144	EGMonitor.exe	115
PID 4144 wrote to memory of 3588	4144	EGMonitor.exe	115
PID 4144 wrote to memory of 3588	4144	EGMonitor.exe	115
PID 3336 wrote to memory of 4672	3336	eagleget-2-1-6-50.tmp	116
PID 3336 wrote to memory of 4672	3336	eagleget-2-1-6-50.tmp	116
PID 3336 wrote to memory of 4672	3336	eagleget-2-1-6-50.tmp	116
PID 4672 wrote to memory of 1008	4672	EagleGet.exe	117
PID 4672 wrote to memory of 1008	4672	EagleGet.exe	117
PID 4672 wrote to memory of 1008	4672	EagleGet.exe	117
PID 3336 wrote to memory of 2708	3336	eagleget-2-1-6-50.tmp	118
PID 3336 wrote to memory of 2708	3336	eagleget-2-1-6-50.tmp	118
PID 2708 wrote to memory of 2200	2708	msedge.exe	119
PID 2708 wrote to memory of 2200	2708	msedge.exe	119
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120
PID 2708 wrote to memory of 1160	2708	msedge.exe	120

C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe
"C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\is-OE2KE.tmp\eagleget-2-1-6-50.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OE2KE.tmp\eagleget-2-1-6-50.tmp" /SL5="$F0070,9993427,175104,C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "net_updater32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\EagleGet\eagleSniffer.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4732
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\EagleGet\npEagleget.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4896
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\EagleGet\IEGraberBHO.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2588
- - C:\Program Files (x86)\EagleGet\net_updater32.exe
    "C:\Program Files (x86)\EagleGet\net_updater32.exe" --install-ui win_eagleget.com --dlg-app-name EagleGet --dlg-tos-link "http://www.eagleget.com/privacy-policy" --dlg-logo-link "http://admin.eagleget.com/latest/EagleGet-Icon.png" --dlg-bg-color "#ffcfe3c4" --dlg-pos "screen" --dlg-btn-color "#ff32363f" --dlg-txt-color "#ff32363f" --dlg-not-peer-txt ads
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Program Files (x86)\EagleGet\test_wpf.exe
      C:\Program Files (x86)\EagleGet\test_wpf.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4356
  - - C:\Program Files (x86)\EagleGet\net_updater32.exe
      "C:\Program Files (x86)\EagleGet\net_updater32.exe" --install win_eagleget.com --no-cleanup
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 912
        5⤵
        Program crash
        
        PID:4536
- - C:\Program Files (x86)\EagleGet\EGMonitor.exe
    "C:\Program Files (x86)\EagleGet\EGMonitor.exe" /installnewtab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:720
- - C:\Program Files (x86)\EagleGet\EGMonitor.exe
    "C:\Program Files (x86)\EagleGet\EGMonitor.exe" /install
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Program Files (x86)\EagleGet\EagleGet.exe
    "C:\Program Files (x86)\EagleGet\EagleGet.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Program Files (x86)\EagleGet\test_wpf.exe
      C:\Program Files (x86)\EagleGet\test_wpf.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Program Files (x86)\EagleGet\EGMonitor.exe
      "C:\Program Files (x86)\EagleGet\EGMonitor.exe" /rm
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.eagleget.com/welcome
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaccb046f8,0x7ffaccb04708,0x7ffaccb04718
      4⤵
      PID:2200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:1160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:4680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
      4⤵
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,402946983470558131,8649223485617606633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 528 -ip 528
1⤵
PID:4792

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OENGNDQ5Q0QtMjFGNS00QjIzLTgzODMtQzg5RUU2Qjg3MzVFfSIgdXNlcmlkPSJ7OUYzREExRkMtQkQ5Mi00REY2LTlFRDYtNzMxMzU5QjUwMzVFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkNFQzQ4MUUtNEEwRi00OThCLTlGNDUtNkZEMDc1NURCMEFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjk4MDIyNDQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3188

C:\Program Files (x86)\EagleGet\EGMonitor.exe
"C:\Program Files (x86)\EagleGet\EGMonitor.exe" /svc
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\EagleGet\EGMonitor.exe
  "C:\Program Files (x86)\EagleGet\EGMonitor.exe" /rm
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EagleGet\CrashRpt.dll

Filesize
294KB

MD5
69f2854d3497bb96078fde9147d12227

SHA1
b22ace716494c7422261c3468336cd8a51d03a44

SHA256
fd5431468ff4e188b7652f0acf237896c6fab3bda341d77f9d84c9550f803c17

SHA512
a15583bf595df0223d5deb984598cdf7b14f5340e6255c6d8ff864d36a9ae9a24250a51f05b176cd633f3bde4b52d13ba1ea6ec9a65339dc593901b07e5e27a1

Download Submit
C:\Program Files (x86)\EagleGet\EGMonitor.exe

Filesize
332KB

MD5
44a8d0dedc406ee46e0ca3e13768f1e3

SHA1
a5efe5a4db00fd6e6301a012513f955028df3823

SHA256
1499a03e0ab8e77fa44aae63a3be01786b2d954854c4892cd98794abbd433e1e

SHA512
32fea58ad5cd44d0dfd3454b9856c97625144e2b89f8cc725efd466fe95ce53adb7e0f599b779b69a1e4401887712a47c3f93fc2d305f641b2f440b20ac17ef0

Download Submit
C:\Program Files (x86)\EagleGet\EagleGet.exe

Filesize
2.4MB

MD5
3c4dd1443e03ce175a528e12565c0089

SHA1
0cf63ef1f19ff607a10e6b28cbcbaccfcdc5fbfd

SHA256
4ee513649cdf0925868df4cd7b17e4b67abc0e0a825570ae40ff400e418b4b9b

SHA512
ffff0689d476d58372628c197b3f2d64fcdbe9d0ab4af48a4ce88e9d5247367da9bb222a21519608d4ffff956af8b40e487212020a3cb0234f4768f1b72cb730

Download Submit
C:\Program Files (x86)\EagleGet\IEGraberBHO.dll

Filesize
238KB

MD5
1e91ec8eaae0d9955f6bb17fc28ea04e

SHA1
2b3fe85e4e9a89e3081c19591f2cee3a95482638

SHA256
ec0527a50753879cf3ad4d153ea19ff739827ee8a983b4a1519d4927e04813d8

SHA512
1cce017201bd174c4b52a430b7b4323e5d53aaecad2ec9c5562f04d81868d284fc86f120a2285237365aca40b9099bfa2e2ac2aa5ba5a98d1dd286a50bea359d

Download Submit
C:\Program Files (x86)\EagleGet\UninstallIco.ico

Filesize
17KB

MD5
009d9bdffb6ee378d30150031b620695

SHA1
11dea417c23f5682bf8102e6dd566f05ae9d7e3e

SHA256
5b003443e41fd99f26ecb3049b887bb9e2dec66fbe495f5f1dabc7d2fde1e801

SHA512
8972887f569f845a2312f0fcacc1e881990c5ab999b14184c1907931766fb7e6efd2e079efb1245007a0114ede419c41d8581c844f1936a9de4fbb029aaa9975

Download Submit
C:\Program Files (x86)\EagleGet\_eagleGet_x64.sys

Filesize
77KB

MD5
7cebfad0c6236844d930aaa0f6502e9b

SHA1
67a451f41d453e7c0cc8eb6f56b4c9ec257cf689

SHA256
2e2d1651f3b57376f0e100ead43c95481d27a9815ad13742f3034c7ebcc43f59

SHA512
33136266b8f4433dbfd728ed3ed3a70e0afc2d0064628dd056add79c78648e9012408341817097a128a5264e85191a7b43ebe46be53937eaae2d9f8d51b06311

Download Submit
C:\Program Files (x86)\EagleGet\_eagleGet_x86.sys

Filesize
62KB

MD5
7149e56fe2673c5a82d99848d61f5823

SHA1
7c74a82c264661ee511952727812e4fe63324579

SHA256
ee61881a1a99836a2a580e08aea53e6eba295ead01b76139b09d0741345fade3

SHA512
59921aa7740ea28b64833d60038f57dba1474352b1e6ad833fe57859867fccbe5c2b0ea69535533316bc726f7f70959d61bec69197677828cc00109081afa76e

Download Submit
C:\Program Files (x86)\EagleGet\addon\[email protected]

Filesize
96KB

MD5
a40b9a135b1aac95a3f4e776990ad685

SHA1
ebba814f2801e67d581bd6f2327f071bcfe1d7a5

SHA256
e6d31dc6c83b9700d204b9ddeeaf688e62e17a8bf7dafe84beae934ab496338a

SHA512
f15babe70a9413cf0e4098f19f728321465bff0ecfb6f0ee2ac955ecba4e2c00d92be17142d13274b6bb5639ccb78f7c02959ba19b229376210a75efdbeabdb5

Download Submit
C:\Program Files (x86)\EagleGet\addon\[email protected]

Filesize
104KB

MD5
bb9452d61f8e9637265a08935893d999

SHA1
ec4a265a8d3d1ad5e962fbce9ac4e827e62d9456

SHA256
9f84f0cfb863b9c31adbed63b5392b6ad562c80354c3494c6aed0da178d20ea4

SHA512
448346beb56fa925701add8c9faab5c864cc716c353dc641d79f6775ed4de9d6a1764570eb7ea32d70659ef9fc626b767187adff5982df94c4d3f3709471062d

Download Submit
C:\Program Files (x86)\EagleGet\addon\eagleget_newtab.crx

Filesize
961KB

MD5
b41e30bdb9035bdb2d73a22320263930

SHA1
8232e2431565a1e7274059808f7f75a358b451d7

SHA256
145ea4ada358df598bfbc9faf1fc73f1b41df15d72799712b7b8f410aac963d9

SHA512
e1efbfa845c218c751fdcf2b9cc70fedbe3c2305ec70648f55e68a7c6b63c63f48f583a25a3c6206ef2937d7e34d87206410c51cfdf7811e40bf7b7a124ca20f

Download Submit
C:\Program Files (x86)\EagleGet\addon\[email protected]

Filesize
18KB

MD5
a1af69c6512bd7641c2ccdb4025c8fd2

SHA1
1898a9e48f9fca77ba11e882d127839749ee8e96

SHA256
ef2e2baad155b62ae37138c190127aede4d86948db0be96e952e97052395f837

SHA512
9f64e5b95318edffac6ec1dd09f5b1ddf3324e8e1eaebeead5ea4e25367a0d262b95428a47665f6fc215980da773e31d94ab6e6b3fa4159a4a08fba0daf31568

Download Submit
C:\Program Files (x86)\EagleGet\com.eagleget.chrome_extension.json

Filesize
398B

MD5
ce86ee686db7743eb5bc3850159092c9

SHA1
69434018ee6e609da7a3ed27a89af852217e458e

SHA256
cf951b06fc0b9c97ad1e731b68bb5fa09642900e9b615760caf63aad96251a99

SHA512
ed2664e86ea50ad4ecfa717f0c4bc311ebb92b02d7080bb11cedc73000387282e1b112d5a6cc1561ea18202dfc0c8ec871ce67e53539c8497a98519190993e54

Download Submit
C:\Program Files (x86)\EagleGet\dl.dll

Filesize
4.1MB

MD5
49e0aec342c9b5ea33becd816373795b

SHA1
387b33413a92e9a7016c2c71e17c039f6282de9e

SHA256
23576dd1005adf75ada73b774dd6df8da6774725334f1b1b49c3b4315da393bc

SHA512
1e499b0c6a773d1091a2788ef49174c5e0be17b3ab1d97881140030a40f45c225b334a2978cfe16245b58673dd29ae7df32a681526b6cec33628e5122fc207be

Download Submit
C:\Program Files (x86)\EagleGet\download-complete.wav

Filesize
120KB

MD5
0efa3ef40736d08b8504575dbcd281ba

SHA1
bf900a29a60a2d109db849ae33b89e6544e48b02

SHA256
5c734125eaabaad56362f76c311fedeb86bfea5f19bd68a11d696be561f59651

SHA512
094e901553317895400190d66529f02e048e513be1a1a5b21f9eef25715dce2ac32adf197620f82a630d495380188972162d40635b290b688776afb916d8fd28

Download Submit
C:\Program Files (x86)\EagleGet\eagleGet_wfp_x64.sys

Filesize
84KB

MD5
cb9a12bde2db323740692f0f54f83dd8

SHA1
87f02a72c44ea04ad38d8d726c0c253fe0783d69

SHA256
69287e35b96f50df7fb628b8132f9a58bbb2d1312705aeccd15fc1cf3048fa2a

SHA512
e3153606a1c2d2c86c967ed2e680b714bc1ac6127dedb85409b16f582e9bee1fcf6f4fefcedd969dc3a9c1e9768318f46ffa735b5fca806b9364b9f57ae9af9a

Download Submit
C:\Program Files (x86)\EagleGet\eagleGet_wfp_x86.sys

Filesize
67KB

MD5
549219f86174d095f30b4f1da4189358

SHA1
432e98a1118e82160d5abf5e4658d0f7f5fa8404

SHA256
a1c5453dc41ab2176c985422e02a14f7b9113ed9af2fe5b9141c6d32a4e8a93e

SHA512
5adfb74807b39ac5ce0c91e501f68bbb85267cc2bc77b3ecddf91393d339c0bcc22dcb8200ab84798d30818a367ce945e4549877e960d0243c4d3cf07af614f7

Download Submit
C:\Program Files (x86)\EagleGet\eagleGet_x64.sys

Filesize
74KB

MD5
61745181308202b14cc2f47d50e85cf6

SHA1
b665b8004ae3fe4a5d141a5a95b0e28135d23ca8

SHA256
2875cdbd6960ada13590ee6569a077e36271653c03eca9996af166aad64e6385

SHA512
6424dd4c395326410a5222d26a6518a650524aad8a3e9428f16d06117e8c9b72a990f1b1df53ce342b87a3bb10ad609e640d290f2180f93ee2aaa571142dcda5

Download Submit
C:\Program Files (x86)\EagleGet\eagleGet_x86.sys

Filesize
59KB

MD5
5bf0b3477ce8b7c40d7f3fbd083147f4

SHA1
ee72e488b6ddd022fa0d4377ef8e6c4aec813d34

SHA256
617ecb74de35e7d27d6ea1e556aaab0b5e038e9a96963f5011b6fea203666cae

SHA512
bbc4e3da130b4b1963a0eca3fcb93287135057b3d1ec43384d083c90c11d810ee138f2306979912ec149fd94ae3be53d9eddcaa5f79b1842d7ef039d46480526

Download Submit
C:\Program Files (x86)\EagleGet\eagleSniffer.dll

Filesize
791KB

MD5
8fab5242b8d6da4ed7b41d0bdddfe32c

SHA1
d7087dc2c9031624815c4b1e9896f38a53c51193

SHA256
25e761477cd01e7e98a0e7cd572a8c07c94af9f3afda33c524c25e4716cf4786

SHA512
a483431f0f7b0ddb99339e524661062f8cf207405377965a89226c51745d9e5013f5643deffa3633fc9175899d4f558d4d144857830db141494bc8880e882856

Download Submit
C:\Program Files (x86)\EagleGet\error.wav

Filesize
1KB

MD5
72309f20f2bfee0595fe8d20b8cbefb0

SHA1
efc2b2b263722dddffea44ffc7a116daf09709b3

SHA256
dce3297d94996c91126446e133145e4395c87ba47c4b731ca86c4c845dad8049

SHA512
0de89f9b0ca62cd9977e2becf30d8e9c416ad42f66d1bfbf78e34dc6301e0cec559813d76a05f11abeb39c7cac45e6c20bdf88c86c398c09158cb9f6c3af5942

Download Submit
C:\Program Files (x86)\EagleGet\libcurl.dll

Filesize
296KB

MD5
1923e9ae0a142aead21fdb87b67e0efc

SHA1
e6d32341e7c3b5a3488416d7f62e37b2d0ed2b47

SHA256
96620fbfaf8635d7c5b0623bd10b28deec2cc7706dcb470c2d0b1fd4674c8e39

SHA512
f852aea4bb9712f8f56c5671c242b5ac4611a1c4bc3aa8bb3838a91cc583387c3a1b4af2b97c12e97dafcd6676c9a78e0ac936f9336151915d9cbcf7942b38fb

Download Submit
C:\Program Files (x86)\EagleGet\libeay32.dll

Filesize
2.2MB

MD5
61d8d7cbbd1cc7d544c8168d6c917ce4

SHA1
c003fbc9167817d98e34269c3f45eb5113aa7f89

SHA256
4a7768932385e490443dfd0f8b1402a0028f2a5736ebded5093c128a45b5da72

SHA512
b4790ca751abb622abaeea8b766f16d57a2b8f1f14442399a7ecc150ec605881f372481190c750ae5bf1f8b2e2ae63ca3a42e4c04d83207ac480dd8e92bb82c2

Download Submit
C:\Program Files (x86)\EagleGet\libgcc_s_dw2-1.dll

Filesize
42KB

MD5
c4b4409f186da70fcf2bcc60d5f05489

SHA1
056663c9fd2851cd64f39d882f6758e7a987bd42

SHA256
b35f2a8f4c8f1833f3cdec20739c58e295758ce22021d03d4335043148bd7610

SHA512
cdcb945a82a0304e4d7cfc9ae9d7e5a5e81d4e3025e982494c87c283f6fac542181e9e1e3028456b9b0b5b6279990cb3e1a50f9df0f6e707c70fa0e23c7a808c

Download Submit
C:\Program Files (x86)\EagleGet\lum_sdk32.dll

Filesize
2.5MB

MD5
f70f30ae1d1d0e1f8f2015e52e66a0f1

SHA1
62f7c6bebd04c7f607afea262c6da288c10fba23

SHA256
450ac74d8681d8d05abd0fdd34b0891e629bd4f39fabe996f5e721665de0dead

SHA512
baee69cdb4b58407740631bdd719b2cf7f78de970ba262f9488d123b70f90eb34426079f4d983e0261f2dd766b4415bbd10eac16f8ff870a7f91b0236bc6c6d1

Download Submit
C:\Program Files (x86)\EagleGet\lum_sdk32_clr.dll

Filesize
1.4MB

MD5
15bf1de003ac5bfd3f5d55f1a01b74d8

SHA1
2530f5819e189c19ba98858808053047af2e6bbd

SHA256
843c4acbecf80058ea8e089e17e7e3fb0e7482b0ea17f7476dd6bbd292400e98

SHA512
d665aaf3c98f33ea1baaaac51f75ba221ae1620c1fb7dc8982d1d664dc568ea9d82281f1c19dc2d29a7d16bc0cf09b814e075e6ea0f21884c39f685a6acdd3bc

Download Submit
C:\Program Files (x86)\EagleGet\luminati\20250216_152811_04_02_supported_1.172.289.log

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Program Files (x86)\EagleGet\luminati\20250216_152825_choice_change_1.172.289.log

Filesize
1KB

MD5
5175cbce0b5e991780b0049980ba3d9f

SHA1
04d755d4368b3c6be4dee0650d62f10afe9b785a

SHA256
f0c740cd28fc0e3d50f9bc9e66d92c4b22d82d7f7f155f42ad5657f62ab4c12e

SHA512
0360c0eef497c0379e5700454697c102850cc3f41db6ed9f71faca810293ecc75432b41011df427002892654abf3ab7f4e87bba1fc867297c2d596c2e7bded59

Download Submit
C:\Program Files (x86)\EagleGet\luminati\20250216_152826_04_06_choose_peer_1.172.289.log

Filesize
3KB

MD5
9e54b006f09a7928247d3db90a64f9e2

SHA1
8e25b8fbfee04d39f40623584ae63b0c25eaadad

SHA256
781b48df252e4d876fd794c9d0a47b7093832f43dada8472797eae0b95356118

SHA512
c610e286bb03f6696c5ee7abf837d37ef840cfffd845ff74ca323057de2b6a5e489a8203a8157adbc220ca79e50d71dd4d3eb7e3e2e87b49617ae4e156ea6cbd

Download Submit
C:\Program Files (x86)\EagleGet\luminati\20250216_152826_popup_close_1.172.289.log

Filesize
4KB

MD5
0ed6f12ecb6477a29cfde93848777093

SHA1
6845a3c652f15ddab609ea9405c9ac21422b6cbd

SHA256
c919e370a8d2251b1575c1ed3869c3dd72c7f60e268250ab41d6c5874d0271fa

SHA512
8c2a863d09e519d81863c60a2a9910426057bd417a8870f3030d0701e008a7277c8b28e47a890cf56faf4cf1e00ab40bb7eb8f81d07e84ccc3af5ab8437ba900

Download Submit
C:\Program Files (x86)\EagleGet\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\EagleGet\net_updater32.exe

Filesize
2.0MB

MD5
398ae862a545dd10f4ec7103c1dfa846

SHA1
37e36747aed074daa7ad6ab4d34cce616acd6bf4

SHA256
e58e26c2254eea4a800af5db4384fde23819af4fc3893351a9efc21160bac239

SHA512
1652012fc830a8dd4e69d0c9f331d66d1dbb50c50e5da8a3b1813e446938a0dd1e01bc04e36fc45b2863c9409ca4691bdddfc0eceb32cb4e27d76b09db459e94

Download Submit
C:\Program Files (x86)\EagleGet\npEagleget.dll

Filesize
1.1MB

MD5
054e9138c058522469c15914b6cac191

SHA1
3348718abe2975375a3a7edc3e458c66216ae62c

SHA256
fa775101b3e3d36934e716cc1718ae1008893d91a344aa94a9d2424092c2266e

SHA512
d1e713e7506e67a989e196ad3ad1899599ece192150b79595f68a5df70f30bb2dc3b092f1461a081ddf9fddc69717ce03934e431fbf2271b02eb9c3dcea2d455

Download Submit
C:\Program Files (x86)\EagleGet\proxy.dll

Filesize
935KB

MD5
efd86d051508f93eb579fe383c4a178d

SHA1
1245f64675be60a46f9bd06cd05c745f2434b249

SHA256
3e082acacba78908405821eb3e20385398e19548dfa8917a886794403ddf78c5

SHA512
730d4e72f8b47932904ec3f7d5b0b245de82c485d698fbe0c88e4c7dcb94d453fcdfbd4fe26235ebc729a4cd60e7ea8d18bcffddaaa5658aa713401efb2d7d90

Download Submit
C:\Program Files (x86)\EagleGet\ssl.dll

Filesize
844KB

MD5
e08048c35eb288871cec585dff712fb9

SHA1
429a550b0ee400acfcdf287311882865ecb8d1b8

SHA256
f60645863b359f55aca2bea5fab96f6d5d75658c3d9edbe4e752d70ec0627085

SHA512
90f3d16099142771bea0b511bf335a80c95f6eff13b4d7fcdb0b4bb698f3757ccc3cf7f3acbf3938ae996021ef259fad90bb07d6e20c00ccce18167ea0d03c70

Download Submit
C:\Program Files (x86)\EagleGet\sslQuery.dll

Filesize
194KB

MD5
2fab3c62e113076f0a383d07d7126829

SHA1
08ff2d3b4ace54f2b721bf7e4bfbc9c31619c248

SHA256
23d3f1984563297059c1a2616da4ef2c79fddcba4ca3fc7f6fe18f1d6981728e

SHA512
659fbdb9d64a70ebfa90aa5de8c51ffa0e4404ef4124de199a095d4ca2590f9cf04c795d79952ea71336ef2da40fa6f7ff4e894349b22b5afd93c31f5ffe9c3b

Download Submit
C:\Program Files (x86)\EagleGet\ssleay32.dll

Filesize
576KB

MD5
8c32276fe49dcf47b6f3364e3e6ad610

SHA1
839d246d96e12babf3963d62d0bdb378dc916638

SHA256
bcc7cc8af2f8d4ed65866a09640ca8391f9065f199526a32d783def445b0f3b8

SHA512
387f0296615355264bd48a15c7e7c8be3c4707ea02de40a2dfecdf61d5d041a8a60b71621c4f0835df5e1d9dda3dd1921b9bc2054dc1332d8097684f7eefa329

Download Submit
C:\Program Files (x86)\EagleGet\test_wpf.exe

Filesize
17KB

MD5
3b996b69e145725c8d0e0557fbfb48e1

SHA1
1142ad91b7907981ae2bf688abb268d8431a497f

SHA256
bc9b6aa2bfd98e3b51358398f3fa94b118e6e098ea5568c11a2f14ebc9df7421

SHA512
13f46a55342de4a8878e0da763c7209c6ddc5da2d69b4c7d500dae64873fa28b66f2c88ceb8c28bd1733ea000c051350ded7d672e66f599254fcebb53d962a4b

Download Submit
C:\Program Files (x86)\EagleGet\unins000.dat

Filesize
67KB

MD5
34749a2f7a1a023d893d773050e1b2b6

SHA1
1e5b9021a523772bb6fc62a3821484732b9c7d07

SHA256
664ecd89ec74170bbc32e911de57bf75eef77ad9e3b08fc1c5c383e058291d4d

SHA512
24ee924c841dd858561bac3c83206b0185f40f0d5b45b038262948d48c6a4d126f1d719b044d0c2fcce90888bde1ce0a5077f256ac6cdbca1ddc71d38128bafe

Download Submit
C:\Program Files (x86)\EagleGet\unins000.exe

Filesize
1.2MB

MD5
44d563ac5e67e28730b5bad898bd4518

SHA1
775c67f4912fafd639c12c1e38ef4624f54edcd7

SHA256
f9ae0a8a53e9d0314b25f92f29892316bb3e228a22173e312a05627bcde1e31f

SHA512
3502f35038b1a28b538fb203db0951a2fcf445817c14c4352f76bafe44ffc9066ff66c395c7efaf5290d2d29b566e3b217a48aac98b2fc163a85572a49039d89

Download Submit
C:\Program Files (x86)\EagleGet\zlib.dll

Filesize
52KB

MD5
87eddceb9d22c129e386e652c5cda521

SHA1
0447ff30dfe7a5234624ea21a6947e88f6e80054

SHA256
792d768258eddaec86d9263e51ff64ee6f0bed2f28205f535ee150e94f8d6a2b

SHA512
83ae55dde165165b8001463cb3c4b3713ddc5108a68af5289055bdb10b2c10f1338e2eb6337703edc299e375f9c9f04e757d92eee535994ab61c841e2dff78ec

Download Submit
C:\Program Files (x86)\EagleGet\zlibwapi.dll

Filesize
382KB

MD5
b97a71c359c03cf1e9bc1c06e3aa9162

SHA1
c3d1971f3556a2d60df7683b601e7d0d42805588

SHA256
2c22a3dcad17df613e8bf2ae1db82387aef9826747136436c6d6f00b43dfa5ad

SHA512
f3e884abb645e101d80a33666bb610290fabd47da6855b4a5618d17d260730b9ffa0426f2c3ce9cc17068bdf496fed368b0c334f7421fc5575a58354718aa9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1e280cf422534c1043e1aafe76fd2a4

SHA1
e9ef1c4c4d7ede09e9887f41776a5350dc8fcd48

SHA256
e4b0b0e8d8b8c5c687a7706a9fa65abee299f38b34a655cafc144f61acc68053

SHA512
54a3787e15b5bdf5267997febbadaeb0f30402dd56f2b766f94203026e13d0f391a991f580edf97d65e614339ce5a1cc52bd2744a43a96741681567358f9a138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
08b321b910201e33005982fd1f6a97ce

SHA1
cf3f6e897dfe0da5ad2a6fa540b6a369c3774631

SHA256
f09868d8c297c94344f0f89939b1f28988e2a99a56519936a5fa3edc8a6e2d2d

SHA512
7dd980ea4c2f9f53a0f11fc6c33476f20ccef5635228a0d8c8478a64604a4f7a4f838ee4ce7b8f185eaa3c4626a3a2f8def9c54cd5ba0e19ee6a27c556155857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
50e054826885512abb645abdb267eebb

SHA1
d5d0053fc9a41e50ed2ff03fec5c62a8de6881e7

SHA256
764b5491485f9606f91a410d9b18ac9f4522dbb4e3dd420b90ee47d4e85b49ec

SHA512
af0f3605ac7ca92a43000bfe163cd874af72225fdcf256c6465844d0577a4ba17735d17c8e7e0b46cd583ec38ff3497c88d7af64d3d2cc80f7064953b3ac789a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebba399ec4a1ecf10fd7731fb8fc9179

SHA1
8ac4d4d812d8ba30608d548cef3911015e405dff

SHA256
132aaba03d16434f0dc725c90cc67ccfd79ca2ffad8a12384ed950887961c825

SHA512
b7cac7f7d0ca5f74854977f6a568d75e9865105a2655ca4a78a187078ddcd4e1a7fa8196d9d3a5ebfe4c68615de2716daa9fa26f84290632ad50230a7b64881b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a03f46a3363c2d39b20554063a535c3

SHA1
9b4afb9766cfbaaea7841f8f0bf3b0d80b8c4379

SHA256
5173d0252f296ad36d1f8b8e9224023cdbddb43d924e2780dd3160365bcdc632

SHA512
3d1a93975bb903ed882315a197d9b2ca61b10217d1f44983b7cb8c5622bf0078229b13b7a5f6904e4c232c66dd894ab3f1c3bda5a30fc56b7c7646273f6b45dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7fcbd94f5ea55bec14bd689ac93ebfcd

SHA1
f4d6d542669f547c2a2fced797490df36446e1b0

SHA256
2ca449025b21a16a63cfa3818e7123df5c521f702dbbbdb98adc512e211455c1

SHA512
fd3cb493c7d0e707829a0ce3e06a26738bcc9396969b7961c2d162cc35211d5623178a765a6088edb3e3ff1e7fd96bbbe98b28117fb0859569459511a82b2535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b613a8b3bcb245ca99d0e102e139e374

SHA1
b8d4eacc5e78b2e8666b0e6bf35ea0f1852a99da

SHA256
612f9f39105c8c1ae5e65c853de426cf3a94deac205c28b08bc44d0ebfae6be6

SHA512
746e0bb738de4cb5c9c128d9009f137f00b67e0561839ac00a0c6bc3207eb92e658d07e131ffb7d4082df15212703deef0d1b5ee2d497e97ddd6599e6c2b0568

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OE2KE.tmp\eagleget-2-1-6-50.tmp

Filesize
1.2MB

MD5
eb42e5720e09cd014694a22c86929f5e

SHA1
b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb

SHA256
4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3

SHA512
4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\back.png

Filesize
2KB

MD5
ef9ed169ba900bc5250d0210d25619e3

SHA1
d333ee23b4441e7da0109886159f7c9e78819c5c

SHA256
806f42fddd09b24993ec053e6fdcae023e4833b371590843a498aacac20b8c7c

SHA512
042e7fef639b74e421ab456e41301dedd1a91f29795b5594eea89ee95ff6c44b3f72936e639f8671bba3874fb6f536c7ef01bc878c5e3a1bdc1e73ae2f716267

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_browser.png

Filesize
2KB

MD5
8dd4f9f2c22073544694eca39c4f305d

SHA1
f7944cd8aa4f4b5233867dbdcea034a8d4be69e2

SHA256
0f6e9827ef681b88722d2013ae44fe5f8eeeaf22b6fe64904ecd0852de8197c8

SHA512
1c8708c77e8e61659ad7a903a4b5431e72532645486ca62e9b84d42f2e1fce2ebf07d17b64241656e08f32d766843dea6bc40fe7e8ff6e010201de8860a0d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_close.png

Filesize
204B

MD5
b780d58e26ddf76733743501d00123d4

SHA1
594b7196378628bcc7107e8186e2f2f6da07ac0b

SHA256
8a6026306c1774d027022b3ee600c34b296ab8135f46c872d74c734baa239eac

SHA512
8691a1c2a00311f31224fee23803a91bc2a7597aa2ac928cfc43291b7c6cfd89bce7f7fd60d8448603b5c441ff2706f9686e1fa71c56041d0c5377eb1e14ba5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_complete.png

Filesize
2KB

MD5
af03b33cb3b3fcce4b69e62cd1078dc6

SHA1
d15fc6f9ef7eb0d7d0d02981692dd355ffafdd5f

SHA256
a37b5af0b4ec0c9598e0fd6570f4b4f60a4d9d9d10e589b93f509a60f04ace55

SHA512
edd54d31a64d302ba0ba1ada691b464b9c3252ca752ad9817ec8caa0f8b375a94786d6ded8fa313666fc07d648463fc9b47a937877c3716bf245e53a649343df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_min.png

Filesize
103B

MD5
2e9c0f6a83184050751c5cb0dfae2397

SHA1
f1c3e7a900db6572ac0940b833b1ec30141bc17d

SHA256
686967328122f54acd92f85f6c162d42a8f607148f511ec4f7ab41010fc7db66

SHA512
03256bfcf0df9e390e1cfa1b4571aece489270d6c72f231db1c0a1d22b9c181a89fb2865810af217956b052eb47f34d5636edef4606074f607203358370ffc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_n.png

Filesize
1KB

MD5
66deff37283bca24ea963ae3a3963b38

SHA1
6c2410db0d9d77ed8019c01d68cb9fcdfa93b330

SHA256
d9f0859f6a5648b0a9060200cc9a7534161e1b22844f631766e4e3540090790a

SHA512
706a5f2b297694f48f623ba3ab9b0cbadd4a48be9d3b619ec76cf0aadf1638134d65a8de492b869573c136665778bfe86133cb9973d47f29f95683c4bb83faa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\btn_setup.png

Filesize
4KB

MD5
212afbaedaa752a5e8957a609a0ae9f1

SHA1
73e210e0fdd3ac797e6b30bb57a17f2ddd195002

SHA256
d95a68be5109a23db0d0dff20ba3453ca69d39f48f2ae996255b84557a96881b

SHA512
b83e22c50f011f2bb42ea6936bd2b776d9371c933119a7aa19181cb2a3f7e050478c8e679410aea39ecc750b408ecf55fd927bad1234fa041a89ebd737ac5061

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\checkboxdeep.png

Filesize
351B

MD5
3f5325a8962d480ccb89be73e7e054b5

SHA1
319e2f9e1c6c681f79265f6b24606574cbbeebbc

SHA256
ecfe768ec009c8cb24edb1dd3cfe8a8e8a583fcfc90ec90442ce1c8d59241cdc

SHA512
5994ba26c4fdc4ae3a94af2e0e48e3e173c8094fa8b069bfa47b1403ba8283e2ee312f49c308eed2f0d9d244373577244c6d8e4495d4f91f8b6597fff90b4db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\license.png

Filesize
1KB

MD5
8277d98e048ba1adf360d63622f5b0bf

SHA1
0bdc270cd963b2b34e919250455062f782052a47

SHA256
9a004daa7630d4916c962e681f1a1f95db3ff476fe82272dc937f7ac200683a2

SHA512
5b8a354efe4073473a92118027b06d1fe599a422f395fbfa17ce0bf5c3a0cb94c7bfadb1c324e66829ad478e1561200259d32d05514fbaa22f6bbc3a90a8579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\loading.png

Filesize
89B

MD5
589ac6ffe91a177aff97dabe25689011

SHA1
36e1bf95b0ddee3359b906aedcd1bdf74dfb646d

SHA256
2313bd947e407ccee25c6bcba3c7d45f5c92159950d9d1277d258a293760a732

SHA512
688dd947443dcb79a85843ccb845c5ec4a867dbb393e6fc0e4bf5d143faaf8ffc13360d4663aaa37862e30ca8a52f1adbb066c29e893feed8f057fcbd7ca1a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\loading_pic.png

Filesize
12KB

MD5
cd6306a12fc1fcedfa3b58da75386bda

SHA1
7ca8035de254c7daa138d4fbab14e3a1045538aa

SHA256
a6a1ee3dfe884126494a906cc36fb34f7a75ee0db932e0f4b4507b5cf9851765

SHA512
bda08fcfe9ccf5b9ac41adc4b5fd53cb510ad4f89aec611206d5e8125319e99972d6c28aabac4e492927efd9602bca51fdfe8ffaaca886dd224c3c50bf587b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\loadingbk.png

Filesize
112B

MD5
bc922799a665701140e9f65da9722b61

SHA1
6f3248d471ac006145266498e6f0012423bd25c4

SHA256
08e0aa5886e0951fa48c3c1d6b6307e542dfcbed8e953c5d685e88433293b652

SHA512
b9ca303317906d6e9dd5efc30e10fadb5191725d03bcd7b99a7519409948543fa83f7e85db03428ab7594bbb42c8e598dac447a91e404aa2c31cfc80eeaaa5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\sqlite3.dll

Filesize
596KB

MD5
ee7e9a4cb1bc952e356145eb6306a6ee

SHA1
e32952efe8daf7c58821cd008ae5169719c0e580

SHA256
50f7c306c28a22cd277daffa5d3f28ac7cb4c561b260aa8c4626587f8e82f103

SHA512
44fb2e38fd36e860685bad86fde03a9b829c98d4b8fa1bccbc061eb038a9e9031166f2249caeee135d584ee8b9fa1cdf27902ff017dfe6fa7285e75eb1c96c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\util.dll

Filesize
1010KB

MD5
192c98cb51f39be053ad5c7e029e75f8

SHA1
2fbb285edc39d51a0e56a7ef996c9f67c4b1a015

SHA256
a2ef6b8fbf44bc77631d5635b8abedf90db5903b94618753168f5a904ebc5f60

SHA512
4b810f8861d037e3581fadb17a7a22f29648eb651d9bbd2827167fdce94975a5eef25d899009286ce6636a59732b6728510b6f9e151ea2d026f764dd1fd5bf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RA2S6.tmp\xy.png

Filesize
11KB

MD5
e92f3fbf3876c4044722fd975281b3ff

SHA1
d92877cad872663616a48f25af291e8bffb246aa

SHA256
31137ad0ef19381e1778eb89b6cb9f70a9ee5244ad943ad494e1e57b18b48ab7

SHA512
46fdb373fe54ecf762adcba6a08a0e2e67080d97931fe1407d4f60b74921d9ef7d38ec7104271805635a015ba5230a09e16de60010aecc5c404ae376efddfac7

Download Submit
C:\Users\Admin\AppData\Local\luminati\494419af5d7e83503dd53f7beed2d6841c1136e5

Filesize
32B

MD5
5b2b9040c43851a3184d0d6da8481718

SHA1
e7e00bd6bfc18ca428f227daeff7848aa9b42d77

SHA256
62bf891a552c136f585688cb452c64c6c4c4e0d5da73d9218dca7392162a5284

SHA512
bd784d8dbea18714d50dd5de7a4df9aa27b915d8677ef5d474bbc675a0e662843c23ac857d3887d1d3b05dd7862a9befde84b1b18acc60522d5254b78178d7c9

Download Submit
memory/2844-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2844-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-699-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-107-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-7-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-447-0x00000000034E0000-0x00000000034EE000-memory.dmp

Filesize
56KB

Download
memory/3336-541-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-56-0x00000000034E0000-0x00000000034EE000-memory.dmp

Filesize
56KB

Download
memory/3336-698-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-131-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-113-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-442-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-108-0x00000000034E0000-0x00000000034EE000-memory.dmp

Filesize
56KB

Download
memory/3336-542-0x00000000034E0000-0x00000000034EE000-memory.dmp

Filesize
56KB

Download
memory/4356-406-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/4356-408-0x0000000005580000-0x000000000558E000-memory.dmp

Filesize
56KB

Download
memory/4356-407-0x00000000055C0000-0x00000000055F8000-memory.dmp

Filesize
224KB

Download
memory/4432-468-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/4432-469-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/4432-464-0x0000000005BF0000-0x0000000005D54000-memory.dmp

Filesize
1.4MB

Download
memory/4432-467-0x0000000005D60000-0x0000000005E08000-memory.dmp

Filesize
672KB

Download
memory/4432-466-0x0000000005B40000-0x0000000005B56000-memory.dmp

Filesize
88KB

Download
memory/4432-465-0x0000000005AA0000-0x0000000005B40000-memory.dmp

Filesize
640KB

Download
memory/4432-499-0x000000000CB10000-0x000000000CB32000-memory.dmp

Filesize
136KB

Download
memory/4432-488-0x000000000B950000-0x000000000BAD6000-memory.dmp

Filesize
1.5MB

Download
memory/4432-487-0x000000000AC00000-0x000000000AC08000-memory.dmp

Filesize
32KB

Download
memory/4672-626-0x0000000009850000-0x0000000009BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-716-0x0000000063080000-0x0000000063254000-memory.dmp

Filesize
1.8MB

Download
memory/4672-717-0x000000006E400000-0x000000006E479000-memory.dmp

Filesize
484KB

Download
memory/4672-576-0x0000000000610000-0x0000000000675000-memory.dmp

Filesize
404KB

Download
memory/4672-596-0x0000000001AD0000-0x0000000001EEA000-memory.dmp

Filesize
4.1MB

Download
memory/4672-594-0x0000000001810000-0x00000000018F9000-memory.dmp

Filesize
932KB

Download
memory/4672-619-0x0000000008C80000-0x0000000008DE4000-memory.dmp

Filesize
1.4MB

Download