be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549

Resubmissions

01/02/2024, 21:27

240201-1at8kaedg4 6

01/02/2024, 21:23

240201-z8fbmagfcm 6

Analysis

max time kernel
143s
max time network
141s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delta V3.61 b_82160033.exe
Size

9.5MB
MD5

93d16508432c3ff3512eb9de584f48e6
SHA1

6ed9fd4d190afc6c5154730d85cf883fd3ad4d2e
SHA256

be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549
SHA512

08ad71f9b6b3a65cb22b6a65c8e44d4e004de2d10683dd89a8eac5af67127b126db301ca55e00740e7342c2896cf4b7178257e9d4e446a03db13e122c4116338
SSDEEP

196608:MulB4qN8C0lgVk2rqNemQ3bKfIiaNPFHNRsiK:jee87gbrqNeL3bIIiEHMn

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup82160033.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup82160033.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
113	discord.com
114	discord.com
115	discord.com

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Executes dropped EXE 3 IoCs

pid	Process
2392	setup82160033.exe
4252	setup82160033.exe
2836	OfferInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe
4252	setup82160033.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3844	timeout.exe
2896	timeout.exe
856	timeout.exe
3044	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
2480	tasklist.exe
2940	tasklist.exe
1892	tasklist.exe
4808	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512968554244365"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000050dc38d8d249f12652cd6780e5de547910d60bbc866c1c732f353a793d3722aa181d16be79a7e6fc5c546044e25f0daa249db6a39ee42c00850a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d91b717b5655da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2baf8e755655da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{9F80A041-60C8-4E67-B1E0-83C6F0606FF6} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fca57a7b5655da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Opera GXStable	Delta V3.61 b_82160033.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup82160033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup82160033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup82160033.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
64	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
2392	setup82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
4488	Delta V3.61 b_82160033.exe
2836	OfferInstaller.exe
2836	OfferInstaller.exe
2836	OfferInstaller.exe
2836	OfferInstaller.exe
2836	OfferInstaller.exe
2764	chrome.exe
2764	chrome.exe
2484	Delta.exe
2484	Delta.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	setup82160033.exe
Token: SeDebugPrivilege	2836	OfferInstaller.exe
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	1892	tasklist.exe
Token: SeDebugPrivilege	4808	tasklist.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeDebugPrivilege	2484	Delta.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeDebugPrivilege	5212	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5212	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5212	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4488	Delta V3.61 b_82160033.exe
2392	setup82160033.exe
4488	Delta V3.61 b_82160033.exe
2064	MicrosoftEdge.exe
5136	MicrosoftEdgeCP.exe
5212	MicrosoftEdgeCP.exe
5136	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 2392	4488	Delta V3.61 b_82160033.exe	74
PID 4488 wrote to memory of 2392	4488	Delta V3.61 b_82160033.exe	74
PID 4488 wrote to memory of 2392	4488	Delta V3.61 b_82160033.exe	74
PID 4488 wrote to memory of 4252	4488	Delta V3.61 b_82160033.exe	75
PID 4488 wrote to memory of 4252	4488	Delta V3.61 b_82160033.exe	75
PID 4488 wrote to memory of 4252	4488	Delta V3.61 b_82160033.exe	75
PID 2392 wrote to memory of 2836	2392	setup82160033.exe	76
PID 2392 wrote to memory of 2836	2392	setup82160033.exe	76
PID 2392 wrote to memory of 2836	2392	setup82160033.exe	76
PID 2392 wrote to memory of 1556	2392	setup82160033.exe	77
PID 2392 wrote to memory of 1556	2392	setup82160033.exe	77
PID 2392 wrote to memory of 1556	2392	setup82160033.exe	77
PID 1556 wrote to memory of 2480	1556	cmd.exe	79
PID 1556 wrote to memory of 2480	1556	cmd.exe	79
PID 1556 wrote to memory of 2480	1556	cmd.exe	79
PID 1556 wrote to memory of 2268	1556	cmd.exe	80
PID 1556 wrote to memory of 2268	1556	cmd.exe	80
PID 1556 wrote to memory of 2268	1556	cmd.exe	80
PID 1556 wrote to memory of 3844	1556	cmd.exe	82
PID 1556 wrote to memory of 3844	1556	cmd.exe	82
PID 1556 wrote to memory of 3844	1556	cmd.exe	82
PID 2836 wrote to memory of 4600	2836	OfferInstaller.exe	87
PID 2836 wrote to memory of 4600	2836	OfferInstaller.exe	87
PID 2836 wrote to memory of 4600	2836	OfferInstaller.exe	87
PID 4600 wrote to memory of 2940	4600	cmd.exe	84
PID 4600 wrote to memory of 2940	4600	cmd.exe	84
PID 4600 wrote to memory of 2940	4600	cmd.exe	84
PID 4600 wrote to memory of 2464	4600	cmd.exe	83
PID 4600 wrote to memory of 2464	4600	cmd.exe	83
PID 4600 wrote to memory of 2464	4600	cmd.exe	83
PID 4600 wrote to memory of 2896	4600	cmd.exe	85
PID 4600 wrote to memory of 2896	4600	cmd.exe	85
PID 4600 wrote to memory of 2896	4600	cmd.exe	85
PID 4600 wrote to memory of 1892	4600	cmd.exe	89
PID 4600 wrote to memory of 1892	4600	cmd.exe	89
PID 4600 wrote to memory of 1892	4600	cmd.exe	89
PID 4600 wrote to memory of 3560	4600	cmd.exe	88
PID 4600 wrote to memory of 3560	4600	cmd.exe	88
PID 4600 wrote to memory of 3560	4600	cmd.exe	88
PID 4600 wrote to memory of 856	4600	cmd.exe	90
PID 4600 wrote to memory of 856	4600	cmd.exe	90
PID 4600 wrote to memory of 856	4600	cmd.exe	90
PID 4600 wrote to memory of 4808	4600	cmd.exe	93
PID 4600 wrote to memory of 4808	4600	cmd.exe	93
PID 4600 wrote to memory of 4808	4600	cmd.exe	93
PID 4600 wrote to memory of 1128	4600	cmd.exe	92
PID 4600 wrote to memory of 1128	4600	cmd.exe	92
PID 4600 wrote to memory of 1128	4600	cmd.exe	92
PID 4600 wrote to memory of 3044	4600	cmd.exe	91
PID 4600 wrote to memory of 3044	4600	cmd.exe	91
PID 4600 wrote to memory of 3044	4600	cmd.exe	91
PID 4488 wrote to memory of 64	4488	Delta V3.61 b_82160033.exe	94
PID 4488 wrote to memory of 64	4488	Delta V3.61 b_82160033.exe	94
PID 4488 wrote to memory of 64	4488	Delta V3.61 b_82160033.exe	94
PID 2764 wrote to memory of 4800	2764	chrome.exe	97
PID 2764 wrote to memory of 4800	2764	chrome.exe	97
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102
PID 2764 wrote to memory of 1520	2764	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_82160033.exe
"C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_82160033.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\setup82160033.exe
  C:\Users\Admin\AppData\Local\setup82160033.exe hhwnd=655824 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-KA1rz
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2836"
        5⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2836" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:856
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:3044
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2836"
        5⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2836" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 2392" /fo csv
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\find.exe
      find /I "2392"
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:3844
- C:\Users\Admin\AppData\Local\setup82160033.exe
  C:\Users\Admin\AppData\Local\setup82160033.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4252
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:64

C:\Windows\SysWOW64\find.exe
find /I "2836"
1⤵
PID:2464

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 2836" /fo csv
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\timeout.exe
timeout 1
1⤵
- Delays execution with timeout.exe
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb6e069758,0x7ffb6e069768,0x7ffb6e069778
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3932 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3792 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3996 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5180 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:1
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1880,i,14148072449962290876,17379749306239988060,131072 /prefetch:8
  2⤵
  PID:2912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe
"C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4e34534e638d6338dbc889a9f517e389

SHA1
cf077eb0c6841a32ebc6a4ebbe08aa2a8fcf1f85

SHA256
4289edb2e457d160bc90932c8915d2242ab349b0e64fb030e1b693f8c0c4bed7

SHA512
d32ddad9537341869b390ea2d8364a55e73b303fc3ee7b3e6a6a5a0d3d8bada4667d886009dcb6aa31504eea88bfabad96654cdd9fb70b18e8340b5d4bb3fae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
768e808471357b31fbd772ccada95df4

SHA1
78f13033e664466a72114b935e69d472d6e0d445

SHA256
1b554681b4b06de1ea2e6c0c7e03a9d5312eb87ca9bc2b711881487a99f32c71

SHA512
cd53481f20f3977471ce2b3d1dac0f88f7ca6691c648f8a8fed4f4a324bdd536c3357abf5e44bda05a5cb1e1f8b387393217daa0b98f1e7ddf73e0636559dd91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
a79e807d5c9dfbb146e28aba20558d80

SHA1
52d43076721bdad3b23a4281dd506035d281b36a

SHA256
cfcc59c5f8ff00e9f580496d7859b2505ac63578a81b4d5a086c0339f8e4e15a

SHA512
c7fbf0223c1668072ac569e24d891b6b4644fb44f0f7fbb5a114080f14f64886c03cb12ed4914f916be1ad0c45a7403cffecf04e5c9219bbbc77b801df7c24bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
79398658b34e9bdd514f77065086228f

SHA1
fa484cbe2a726cc064b3ba7e3048304462cd0317

SHA256
2ed4fe236e08139a898dc672670af284a0e932bf90d1f13cf687c95f88ff241f

SHA512
4bb5498d3a59563027951d9c4186fc8cecac69c80d4a627de6a19bf7cb8c0f2172c1ad979355865311109b50b01f64a591006fd201783f045ab25cc4765058cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d06b761b90bb58965772becd2620323d

SHA1
71fd3bb8eaf7244f7284e5fdf33ace01185ce381

SHA256
13216bc70979bca0cd7f2f504a0b2e21df30a258d9a436917feb01f36e255645

SHA512
e06eccac137ffe04302ff63d72f9b0f0c25d07468d58e219f6c3853234c91afa0d314da4f4ec61e6f5a5573f8f36de1041c05b0d57f36c4f78e435cc0d4f2c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be34a64ecd61f93c45d1585ea7a03464

SHA1
736718cdb2faa817944143d23640934f3834654c

SHA256
796fcaefe063550a8a45e7ce40216bb674b936bf0a6452b8a77726520f62f494

SHA512
e9dd400f0ea8666b8a143638dd75f9395a381eae948fc79c72c63e731555687ae9ffba037364b74a00132b93dcb3328f7fb3f9fa17f991e62df129f4f04e6d08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
b1a3bfb1abd7293b4e730ec995c8333e

SHA1
6aa5d20ec6c3cc14c475e33006baeaa459adf3b0

SHA256
45a655163a1276e89c958ffc3f02de3cf524ace4951787cecc8c9e1f98331480

SHA512
dc50224a450fd80ceccfe359f12bf8af32de3d539966a22b451e257255321eb1ace853be01d5f85414b7f7e4617b88ef551b0bc26468d7553438802abaa6ff92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
8375558f999b5ca263e3f99e5983cb7e

SHA1
b077d6c7ec65d037c683a8e339c02ea7ff936646

SHA256
627e8073f38af1518f28ff566965fd1b6f7f1a4df8c8930442d2311c01246280

SHA512
bbbfb54ef650c33c6449c51f78fad2e8dd299b3a86ee5fce90b0238e389d4bc716eeb938e333ff623c38b52e13e309f560dfc985eca66c52eb46a5e17cb59ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BAF3LTPG\favicon[2].png

Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SWWFAYZF\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
57KB

MD5
91a8d04aa620f1e7ebd3a45fee35879d

SHA1
0f09ddc210837fa1e70a0538e9345ff0bc3fdbb8

SHA256
2c9ee585a08d66f9488a8e29075ba2a79af814c424dad55a7c48861fee4d127b

SHA512
cd0c7cbd5e89c1ea12007df83cfe0b319354a8b6fd2c874a89bb4e641562a224f61900c5a89fe9ed789d00b16e40de858e0c6a3d599e3f52fbdc4ad7cca482b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
385KB

MD5
536c61e07a793eb4bc3694c0c37cfea0

SHA1
ec2cf08217840405fa23cfca333f21b90f334969

SHA256
0f4c97542719ad2d2889f469541db1d81769400064be325a27ce5be040253ff8

SHA512
94ed897b3b0b8d9e503518fa063654173892840ee281505e3089c0cc65208e5bd8bf972f360e95197889555d5a7b33810afb91462d2eafa2e639d0ba4511ab35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
72KB

MD5
f03a8c28e3aad3551dcdee7455a78199

SHA1
cf1daab43b899f42d2f370b18782373aa6f2a767

SHA256
efbfce155fe43c7498e5cfbec0e5ff8cd0145bba338753b97f88ca58641d54ff

SHA512
2507477bff9f448a4087ede04531b3a6ddf99eeb93556c53750c2b35e34b3dd27f552f874d2f95e1b048a920e244f3ae1acd5b9b59580e9bb29d0e2af5d53754

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\setup82160033.exe

Filesize
1.9MB

MD5
1a73a0646dbbb39ec43eeed99dff88d5

SHA1
cea6a62535849262a50c233cf02e695b446858fc

SHA256
a9e77dfed667afe0bcad3c37d8eac6b610090bffca530cfa8f3a98ed6d2d392f

SHA512
f0e700c8b85372bc268f30eaf3050950e99d58792a0e67a39f1b50f1bfcbd4da38d4681ad99eeb84cd9f50000faed2901398d71574753d97affb828aaa65f810

Download Submit
C:\Users\Admin\AppData\Local\setup82160033.exe

Filesize
1.7MB

MD5
c834018da036823c878e9daf17cbd8dd

SHA1
831cc601fb9f666dfeed0adddb6409cab30a915c

SHA256
e70eb9fa3452e4e51d7b6edd72cf281496ccd224a9c4ee125e0629dfd2b77718

SHA512
869eca31391e6e67c75f1ea49413667b4c83b24d6b764d8dd9ef090fd94df6d5e7e9c9dd0fd2b701913b9ea0da6576d8b48ade4d0ce79efcb7dbe264143fbc37

Download Submit
C:\Users\Admin\AppData\Local\setup82160033.exe

Filesize
458KB

MD5
e2947fd6fdd058622ceea92cab8df40c

SHA1
ef1650df6c6bab83ec35847d8a092562b077ecb9

SHA256
5b8882f64c81b34b35e7049ff244a071d565f0ae15028596393e5931cb2a6e0f

SHA512
ed51efb4dd8df9401492c40475a2e17cba19fbf4ff3e6f8b1f5348dcfda0a8f692777beb34b12cdc051056dc24533af1b331ff1d985a3670e927afeb8fe04662

Download Submit
C:\Users\Admin\Downloads\Delta V3.61.zip

Filesize
8.6MB

MD5
fe5fcff1319d1c9e4ea37cc31e935431

SHA1
90aad6227f0aebb8524ad43585e4143ff346991e

SHA256
823faea95b1b2efc6dd59aa535d0fbd0dce712c6e1b810611c31119087578b7a

SHA512
6bb50a71d671a0431710a2b3864efaeabf1843749545ab328103483b7554aaa98f3acac5fc2437d7c7dab4048dbccf84f444df0f276b321798a034a3a2379d09

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
92KB

MD5
8ab76685e5428dbc710be3760aca97fb

SHA1
bab3668bfd561a615a83bd5884abbb36382d01d7

SHA256
26d4a8db8f71640570773c677dc3facc2325d6374c7fe5e6354287f3f7055ae4

SHA512
45ea576f8ec408be8fcead12f4b3378bbfd52cc6b5a853444e38d424d9585b3d25e9c391edd3b7d2a84b7f139cb9bcc072dab64553f08c155ce50b1f794393a6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
130KB

MD5
a0ac07aa77ee8f20556add9844d3b0e2

SHA1
59f7a1aa2da2979df86b2cab9c238e139ce9a962

SHA256
2f5cf16baac87d70bf8fa5a8bc0a70d3956204c0f4628642cef250bc3f46c8c7

SHA512
bd14a6c5d02af02f3601b40ab6ce696cd2539f2508bfe6f1b0b19895473f34a0db21828358d1e8b1e46e3c6b16420f619d18601f710943a3fbc121e6e4fbbaca

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
232KB

MD5
1683dedba716c8836722f6abe0b88463

SHA1
8d1dd94fc790ead598871d1595dfbaf39f58f544

SHA256
d9f3bb957533182595785060fb0f0108602394f5d91b20a1089592ac409072fc

SHA512
b17061f119e8e6d93ef9f8594f5c919bdec164c4a4b06836cb116c6937e6d5a8686d40484259321eb38aeec07c5183a0f0e9489cc00bd35070987050a966263c

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
184KB

MD5
252832b45908f733feef34052612a451

SHA1
f2ed24683da3a48243bef8872fc407e9bac95662

SHA256
1ea05b7ae8de7fc3be35ba67a92c291903de354718e647995d6101686cb0c2ad

SHA512
552b59914b6aad215aaa83213e26999aad0e2dfdd09dfbb2e06f3267407860ffe0a3af662f0571689dfe1570c2e16a67e7cdf9aa8f10bad2d0c1c43f3f6c3652

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
404KB

MD5
a964ffb39c7d70e38a6270de5ab879f6

SHA1
75a061821512ccfe5e5202ef23377a1376bc09f1

SHA256
3a62ba74ec98b0a047efe1eae2e281ef59ff2187842363c320303fc8582e67d3

SHA512
ebd7678a80de6c961d8cbd03a4e16ea4e6b2a5d2baffe45c8167c2655ad3e450d343fff09f178fe238df0b89f86a1c56a3a78be72f8b8cb3f695588996bfd802

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
529KB

MD5
422c9e1d88f9f8bb4f61fc3e7d96c062

SHA1
14d93eeaf38a04fe26be295c8d7b6261e9e16b95

SHA256
893bd98a7bce03c2a604980db7fc81386ee73440fce6b4b95f76fb42f29d615d

SHA512
dfe51a8b5d33641711642c726ddc86691401777b3322496e860a9e2aebf4c3e7e3ebbb56883d10644d8794ac0a35c534ac9b176b71833714557beaa7d19cf1df

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/2064-423-0x000002179EC00000-0x000002179EC10000-memory.dmp

Filesize
64KB

Download
memory/2064-532-0x00000217A5010000-0x00000217A5011000-memory.dmp

Filesize
4KB

Download
memory/2064-442-0x000002179ED40000-0x000002179ED42000-memory.dmp

Filesize
8KB

Download
memory/2064-533-0x00000217A5040000-0x00000217A5041000-memory.dmp

Filesize
4KB

Download
memory/2392-144-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/2392-198-0x0000000006E40000-0x0000000006ED2000-memory.dmp

Filesize
584KB

Download
memory/2392-187-0x0000000007BD0000-0x0000000008184000-memory.dmp

Filesize
5.7MB

Download
memory/2392-215-0x0000000009FA0000-0x0000000009FCE000-memory.dmp

Filesize
184KB

Download
memory/2392-178-0x0000000006C00000-0x0000000006C0C000-memory.dmp

Filesize
48KB

Download
memory/2392-18-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-17-0x0000000000510000-0x00000000008E8000-memory.dmp

Filesize
3.8MB

Download
memory/2392-181-0x0000000007110000-0x000000000760E000-memory.dmp

Filesize
5.0MB

Download
memory/2392-22-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2392-78-0x00000000054C0000-0x00000000054F2000-memory.dmp

Filesize
200KB

Download
memory/2392-270-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-281-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2392-86-0x0000000005480000-0x000000000549A000-memory.dmp

Filesize
104KB

Download
memory/2392-172-0x0000000006720000-0x0000000006A70000-memory.dmp

Filesize
3.3MB

Download
memory/2392-38-0x00000000051F0000-0x0000000005204000-memory.dmp

Filesize
80KB

Download
memory/2392-46-0x00000000053C0000-0x00000000053E4000-memory.dmp

Filesize
144KB

Download
memory/2392-62-0x0000000005420000-0x000000000544E000-memory.dmp

Filesize
184KB

Download
memory/2392-297-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-54-0x00000000053F0000-0x0000000005418000-memory.dmp

Filesize
160KB

Download
memory/2392-170-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/2392-171-0x00000000066F0000-0x0000000006712000-memory.dmp

Filesize
136KB

Download
memory/2392-165-0x0000000006660000-0x00000000066EC000-memory.dmp

Filesize
560KB

Download
memory/2392-94-0x0000000005530000-0x0000000005554000-memory.dmp

Filesize
144KB

Download
memory/2392-102-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/2392-110-0x0000000005570000-0x0000000005578000-memory.dmp

Filesize
32KB

Download
memory/2392-70-0x0000000005450000-0x0000000005478000-memory.dmp

Filesize
160KB

Download
memory/2392-128-0x0000000005590000-0x00000000055AD000-memory.dmp

Filesize
116KB

Download
memory/2392-118-0x00000000055C0000-0x00000000055EC000-memory.dmp

Filesize
176KB

Download
memory/2484-392-0x00000000064D0000-0x0000000006508000-memory.dmp

Filesize
224KB

Download
memory/2484-400-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/2484-391-0x0000000006330000-0x0000000006338000-memory.dmp

Filesize
32KB

Download
memory/2484-397-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/2484-398-0x0000000007050000-0x00000000073A0000-memory.dmp

Filesize
3.3MB

Download
memory/2484-399-0x00000000074C0000-0x000000000755C000-memory.dmp

Filesize
624KB

Download
memory/2484-401-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/2484-394-0x00000000069F0000-0x0000000006A66000-memory.dmp

Filesize
472KB

Download
memory/2484-402-0x000000000C290000-0x000000000C298000-memory.dmp

Filesize
32KB

Download
memory/2484-393-0x00000000065C0000-0x0000000006670000-memory.dmp

Filesize
704KB

Download
memory/2484-390-0x0000000000940000-0x0000000001A46000-memory.dmp

Filesize
17.0MB

Download
memory/2484-389-0x0000000070650000-0x0000000070D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-640-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/2484-641-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/2484-638-0x0000000070650000-0x0000000070D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-303-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-294-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2836-292-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2836-293-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/4252-239-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/4252-264-0x0000000071030000-0x000000007171E000-memory.dmp

Filesize
6.9MB

Download
memory/4252-258-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/5684-607-0x000001D6FCC20000-0x000001D6FCC22000-memory.dmp

Filesize
8KB

Download
memory/5684-618-0x000001D6FCF60000-0x000001D6FCF62000-memory.dmp

Filesize
8KB

Download
memory/5684-610-0x000001D6FCC90000-0x000001D6FCC92000-memory.dmp

Filesize
8KB

Download
memory/5980-489-0x000001BEC6AD0000-0x000001BEC6AD2000-memory.dmp

Filesize
8KB

Download
memory/5980-639-0x000001BEC7490000-0x000001BEC7506000-memory.dmp

Filesize
472KB

Download
memory/5980-487-0x000001BEC6A10000-0x000001BEC6A12000-memory.dmp

Filesize
8KB

Download
memory/5980-485-0x000001BEC67F0000-0x000001BEC67F2000-memory.dmp

Filesize
8KB

Download