16bb6d0fae77ee99a00727114cc9e6717905df018271d8cbcb7e642db7f90330

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 02:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Delta V3.61 b_88593726.exe
Size

9.5MB
MD5

fe199f51da36542219eeea6f2cc3cb8d
SHA1

ffe0276d59a60475cafc48b7cb2f2278aea19128
SHA256

16bb6d0fae77ee99a00727114cc9e6717905df018271d8cbcb7e642db7f90330
SHA512

4881f0304934701b1e7220714f42ca05362b7ded751583a7dbc8176811e2dcc161d06ee5ed7393d6ae459569ae3952580225d87b0678b9fc4d124055b93d0d9a
SSDEEP

196608:iPNeodYjpFs5deC0sJ7JJerqNxmQ3bKfIiaNPFHNRsiK7:wNePpF2JWrqNxL3bIIiEHMn7

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup88593726.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
147	discord.com
148	discord.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Delta V3.61 b_88593726.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	setup88593726.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4300	tasklist.exe
2132	tasklist.exe
3184	tasklist.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 12 IoCs

pid	Process
1772	setup88593726.exe
408	setup88593726.exe
1156	opera.exe
4796	setup.exe
2968	setup.exe
640	setup.exe
2316	setup.exe
1172	setup.exe
2476	OfferInstaller.exe
4508	Assistant_113.0.5230.31_Setup.exe_sfx.exe
2044	assistant_installer.exe
3940	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe
408	setup88593726.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_113.0.5230.31_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta V3.61 b_88593726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup88593726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3372	timeout.exe
4568	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713596783143049"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Opera GXStable	Delta V3.61 b_88593726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Delta V3.61 b_88593726.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	Delta V3.61 b_88593726.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{BD761C1D-2F65-4229-84FA-39908AE48652}	msedge.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup88593726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup88593726.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup88593726.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1852	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
1772	setup88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
2476	OfferInstaller.exe
2476	OfferInstaller.exe
2476	OfferInstaller.exe
2476	OfferInstaller.exe
2476	OfferInstaller.exe
2476	OfferInstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	setup88593726.exe
Token: SeDebugPrivilege	2476	OfferInstaller.exe
Token: SeDebugPrivilege	3184	tasklist.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe
1548	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3612	Delta V3.61 b_88593726.exe
3612	Delta V3.61 b_88593726.exe
1772	setup88593726.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1772	3612	Delta V3.61 b_88593726.exe	85
PID 3612 wrote to memory of 1772	3612	Delta V3.61 b_88593726.exe	85
PID 3612 wrote to memory of 1772	3612	Delta V3.61 b_88593726.exe	85
PID 3612 wrote to memory of 408	3612	Delta V3.61 b_88593726.exe	94
PID 3612 wrote to memory of 408	3612	Delta V3.61 b_88593726.exe	94
PID 3612 wrote to memory of 408	3612	Delta V3.61 b_88593726.exe	94
PID 3612 wrote to memory of 1156	3612	Delta V3.61 b_88593726.exe	95
PID 3612 wrote to memory of 1156	3612	Delta V3.61 b_88593726.exe	95
PID 3612 wrote to memory of 1156	3612	Delta V3.61 b_88593726.exe	95
PID 1156 wrote to memory of 4796	1156	opera.exe	96
PID 1156 wrote to memory of 4796	1156	opera.exe	96
PID 1156 wrote to memory of 4796	1156	opera.exe	96
PID 4796 wrote to memory of 2968	4796	setup.exe	97
PID 4796 wrote to memory of 2968	4796	setup.exe	97
PID 4796 wrote to memory of 2968	4796	setup.exe	97
PID 4796 wrote to memory of 640	4796	setup.exe	98
PID 4796 wrote to memory of 640	4796	setup.exe	98
PID 4796 wrote to memory of 640	4796	setup.exe	98
PID 4796 wrote to memory of 2316	4796	setup.exe	99
PID 4796 wrote to memory of 2316	4796	setup.exe	99
PID 4796 wrote to memory of 2316	4796	setup.exe	99
PID 2316 wrote to memory of 1172	2316	setup.exe	100
PID 2316 wrote to memory of 1172	2316	setup.exe	100
PID 2316 wrote to memory of 1172	2316	setup.exe	100
PID 1772 wrote to memory of 2476	1772	setup88593726.exe	102
PID 1772 wrote to memory of 2476	1772	setup88593726.exe	102
PID 1772 wrote to memory of 2476	1772	setup88593726.exe	102
PID 1772 wrote to memory of 2520	1772	setup88593726.exe	103
PID 1772 wrote to memory of 2520	1772	setup88593726.exe	103
PID 1772 wrote to memory of 2520	1772	setup88593726.exe	103
PID 2520 wrote to memory of 3184	2520	cmd.exe	105
PID 2520 wrote to memory of 3184	2520	cmd.exe	105
PID 2520 wrote to memory of 3184	2520	cmd.exe	105
PID 2520 wrote to memory of 1708	2520	cmd.exe	106
PID 2520 wrote to memory of 1708	2520	cmd.exe	106
PID 2520 wrote to memory of 1708	2520	cmd.exe	106
PID 2520 wrote to memory of 3372	2520	cmd.exe	107
PID 2520 wrote to memory of 3372	2520	cmd.exe	107
PID 2520 wrote to memory of 3372	2520	cmd.exe	107
PID 3612 wrote to memory of 1852	3612	Delta V3.61 b_88593726.exe	108
PID 3612 wrote to memory of 1852	3612	Delta V3.61 b_88593726.exe	108
PID 3612 wrote to memory of 1852	3612	Delta V3.61 b_88593726.exe	108
PID 2476 wrote to memory of 1700	2476	OfferInstaller.exe	109
PID 2476 wrote to memory of 1700	2476	OfferInstaller.exe	109
PID 2476 wrote to memory of 1700	2476	OfferInstaller.exe	109
PID 1700 wrote to memory of 4300	1700	cmd.exe	111
PID 1700 wrote to memory of 4300	1700	cmd.exe	111
PID 1700 wrote to memory of 4300	1700	cmd.exe	111
PID 1700 wrote to memory of 2196	1700	cmd.exe	112
PID 1700 wrote to memory of 2196	1700	cmd.exe	112
PID 1700 wrote to memory of 2196	1700	cmd.exe	112
PID 1700 wrote to memory of 4568	1700	cmd.exe	113
PID 1700 wrote to memory of 4568	1700	cmd.exe	113
PID 1700 wrote to memory of 4568	1700	cmd.exe	113
PID 1700 wrote to memory of 2132	1700	cmd.exe	114
PID 1700 wrote to memory of 2132	1700	cmd.exe	114
PID 1700 wrote to memory of 2132	1700	cmd.exe	114
PID 1700 wrote to memory of 3512	1700	cmd.exe	115
PID 1700 wrote to memory of 3512	1700	cmd.exe	115
PID 1700 wrote to memory of 3512	1700	cmd.exe	115
PID 4796 wrote to memory of 4508	4796	setup.exe	117
PID 4796 wrote to memory of 4508	4796	setup.exe	117
PID 4796 wrote to memory of 4508	4796	setup.exe	117
PID 4796 wrote to memory of 2044	4796	setup.exe	118

C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_88593726.exe
"C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_88593726.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\setup88593726.exe
  C:\Users\Admin\AppData\Local\setup88593726.exe hhwnd=328412 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-KA1rz
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2476" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4568
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2476" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 1772" /fo csv
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\SysWOW64\find.exe
      find /I "1772"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3372
- C:\Users\Admin\AppData\Local\setup88593726.exe
  C:\Users\Admin\AppData\Local\setup88593726.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:408
- C:\Users\Admin\AppData\Local\opera.exe
  C:\Users\Admin\AppData\Local\opera.exe --silent --allusers=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe --silent --allusers=0 --server-tracking-blob=OTZjYjBlOWVmNzM2YmVmNzAzNTE5ZDk2MzE2ZjhmMDQyMTBmMjNkY2MwZmMwMjcxNDAwN2Q4OTNmZDQ5MjBjMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1LQTFyeiIsInRpbWVzdGFtcCI6IjE3MjY4ODYwNTYuMzI2OCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IktBMXJ6IiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJJbnN0YWxsdW5pb24ifSwidXVpZCI6IjBhOTJlOTE2LTc3N2EtNDZjYi1hMDBjLTQ0Yjk5ODhkZmM0MiJ9
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x6c70ae8c,0x6c70ae98,0x6c70aea4
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4796 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240921023418" --session-guid=adc113ef-dbc3-4948-908e-7cd66ddfaca1 --server-tracking-blob="MGQyOTNmMWQ0ZDc4ODNlM2Q1YjNjOTFiZjUzMjY0NTMyMGQyNjBkNDA0MzJjMjkzM2FlMDAzZGRmZTRkN2U0ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1LQTFyeiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNjg4NjA1Ni4zMjY4IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiS0ExcnoiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ikluc3RhbGx1bmlvbiJ9LCJ1dWlkIjoiMGE5MmU5MTYtNzc3YS00NmNiLWEwMGMtNDRiOTk4OGRmYzQyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C06000000000000
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4840F928\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6bbbae8c,0x6bbbae98,0x6bbbaea4
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.31 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x4b2c48,0x4b2c54,0x4b2c60
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb868acc40,0x7ffb868acc4c,0x7ffb868acc58
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2136,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1780,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4376,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5500,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,4983202061924813933,15788820540389986157,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  PID:4428

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2240

C:\Users\Admin\Desktop\Delta.exe
"C:\Users\Admin\Desktop\Delta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4TfpR6wUUu
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb882546f8,0x7ffb88254708,0x7ffb88254718
    3⤵
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
    3⤵
    PID:3932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4176 /prefetch:8
    3⤵
    PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1996,2615585275191563911,14132806087551623095,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5228 /prefetch:8
    3⤵
    - Modifies registry class
    PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b2d152ac76d2e609f9cdaebf3903d568

SHA1
f5fc11687ebb5db16871cfd1595b0d5b1647cadd

SHA256
8c05ae8c6f9a31a264290b595ceef7c30a45c17674bd7c2b58e32b437f34b2fd

SHA512
0fa3e3d25819bf0fa93b1d3d18b208b96bb508a2b87f21c8b33ae6a781f1a98b7a3fcad8841fc0bcaff045b40486aad056e550a3c50a66f5077b0649046de107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7cb359e38092c21660792946714938aa

SHA1
02c6bcb368265168dfaf0bfd2d629f4db1926e77

SHA256
bc0be45016170355b2c54c3cd0f301835442e23d4b791f479ed62da87dd9e791

SHA512
bd1331cf45f6655b1d7235d448e4708e69df87ddc92b4c6b43f609288d7dcc34d29c705ff67935f104010f97a1c0bbc0ef83ac1b4c26f8ab2e4f6bbc1446af40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cc874c2497eb6461dd53b00128b9230b

SHA1
f917b63b20768127c733ba44c4e798a13b2b3d5d

SHA256
3844ac0044917d90a1dad0a116b9854ea0830fb99f1e4332f1d2df2c0ff66517

SHA512
5446a4754e6ec26e97e3a8f9513f6cf3dc310ab64ca79bbd03782ed6a1c7767d783ded3dd9c0045dfec0ccf60d4616171c0cce4631f38b0db40a276591b76d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbcafd1deef1c5708d45a8d9e2272495

SHA1
2e334e56958a5fefa7608c61d80ef8c17079cd0a

SHA256
f11e02c3af00485a375face30293d4a1cfe712a56c707e1763c2a01331b067ee

SHA512
54859cf1ffe1cad9c2e491e017834790036936ed2753f1db06b4be1dc624f0a73850a1e555d2d5424a12f7a446adca66ea2b91712ea68cc2558f381b3e563d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9fbb346df83fabc66619a4c5fb51a0f5

SHA1
42b541e4cf0abf5e68f083071f0c33c112835730

SHA256
9ebeb7a909d3b97a41ba1a4c2ee785ed0b741e4b8171588bec9cbbdb9fb67c22

SHA512
a480f4aa35bead50405f04920dfa24c60dbaa2dadd1f2b84f4f2ba9a254096e12d616e03d7386c5e1ae2037e92ace45ed761890ec20156c59a0ca4a821f4f373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ed6d231da8be71f86f3a6b384e2ad78

SHA1
1b0c35f2996f1629fb683fca7d87ce8ccdd775b5

SHA256
81aa49918b6ba58c0bb169dcbbfe7c3075b6f775a58815e3afc9f283501cdd5a

SHA512
deb0f62db56efae7df9ad4a2219c473cdb977eb115ecac1fd830f94796f1d3932e806f605afc073fff2eb5fd495179818638854cec5f334c4557b539c85b3b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
669c82a04216c6e24dac0c3df8d2e318

SHA1
692894bc14ba0636cbb5d53dfdf816af90e4e4c4

SHA256
cba54ae5b2e113138208a28441a909e109a1bbc2bf1bb5769b609c9880ad8cdb

SHA512
346046bcbf366e16ae3e3dd3f288dcc656ccc88e753235d63320c4306c4c8fb7b879377842661c4e758447cb26e4ad4fdaac3dca42c9cf6ecbe9fb37574fcace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53e2be5a37b932867e52f2686a1eaed1

SHA1
6178a11c95cb8329cd6e9b21ead9ac88f194e40f

SHA256
43e3afa3155b264af69ed01bbad66a3d72a02d10b1293bbe5e99d4aabab5865d

SHA512
425748e6946c1833cf66642a6f27c210bd2249d63169899d73c095a8dd7bf58bfe0de056968cf82c65ea036021c5a2017ce27f14c09fc1b969a61a613643c33a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83c066bf6089531a05ba335605b3230c

SHA1
1242a211dae4c7bc752ef0f3c8fcbe721d6cd066

SHA256
1c73fd33fa9a54c4cfb5c737e7eb8cd3363afdb4313a8bec668b512f5236f422

SHA512
bae4969f169dbbae72384f9636233f77c5ea8a4777139fca592989410a40e054ae0bd3c14fbaef45068f9cf28451d25e1b5e1b0d6d2060127b32dd7e5a201574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1ea8805e2e02df6667967281423a93e

SHA1
edd9cbf2ed4925ab86f8d9db744dbe1b19bc2f47

SHA256
665d2c800b64deb66574db32a128a0d4806135e28fbe86d5c1275f4b0351b82a

SHA512
97434ecae95a9d226d8c71c3f295000bab3f778071c8d520dc1163ae0a06a8e2ce8d00cb4ffeaee6339e8a74cd8abbdbc25d16ca6aa031b9ee2742c8cfd2477c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
898c5219a6aeb8fde1bf59c134d8fb6c

SHA1
cd7ca718ea21f4773abd9a4657c4d98935cbfe06

SHA256
ce0adffd28e4d0ed022c5427c3c2067fe54ea27ed78f5223ab894faaee698978

SHA512
b246dbce427ca32466b15a6ce7be5f500a23c795e6a7ddfe664260691d3aad913c8112433922dcea8d6b75238da85496e3590243d505818b69526f615c35aaab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
6232fe6c6f81a3378dce6c724ddf1bd1

SHA1
03c8e5522af5ee66d0014eea7ef47151a43e6928

SHA256
69f3f3ede91812bc43513a48f4361c27363bb264ed47d84c2a690dc5a0cd8567

SHA512
2ace81b9076789586afb0de83dded6c2569dbd977e7ef1ddd0a41480dada912d2cacae328cb369e46393b8ea191724171a91d9436fc9c0f5d88b54a3d4f3d6a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
028585ee04602f74dc973c9abc193c43

SHA1
6e354ee87738e11c24a5615bc3a708526e87289f

SHA256
0c5ff06621ea2831d14d2c0b45d78331929a093f9c55c613c065beeb11ec20d6

SHA512
ea7fe28be5376911990652bd76f3585b22931b8524083908b49c5eb310374e3552a19b70019c1cf8d2fe77d78c62d6b6d41bce1ced08e081bbafa4b8cffbc954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
3796389df582ba040b6a9b9e9d4ce05d

SHA1
08bbd5c85c510bba9914a67fcdb1861a89f2e75c

SHA256
687704def1e8be3d41873b0a9f1a6e575b5f2d717b86592119b1a6602b13021f

SHA512
435be96d2fb355e4298a640295ca41b3cb2918cd7a03c43e9796bc06f966a4ad7665dd92a9150a3e66956e62d639d27984d9f046182d04362122ae47922976a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e14d086fbae2502af6bb0b219e806dbc

SHA1
71701800068339b09ac952188863a8ae4af7ee20

SHA256
cfaa815dcf7b5e8fa6b7dcd2b2310cd444739b2452d6e6122f4b84a009047bde

SHA512
62f05adb5df8cb66e276af9bf185c13f3a1bebfffd7f2c56f9679e0ac2dfcd0303d4fb0795a4732de1db548e1b0a84531ff17d58f6cbd904b17d373f92ce1bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea3acf50145e8de8d536c9b95275f2a5

SHA1
401ea9a53906ab5a93882a7221c0c67d6c756d75

SHA256
a3938bb35f0ecf81e2d5f904e6ef3dd93562c6c8a60889b537d76b150966d5f8

SHA512
e02a93cd520a6adcb362e3993f30c417786c47bab4f8f8665498db762d9cbbf842d1b9a038476de255ccdf7ca2b180cd6d67a409f1d5fefd334f0144f6ab79da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd8503c6bca82c8815e48de7a15af06e

SHA1
db86fd03939b789defbc9a1257ed6cb30688bf74

SHA256
63de0136ddc9088b21391cb4bca601fa5c4c1dcbe1dc54f4d5b9edb0f280436b

SHA512
3a1d847a03a85abb8fc8c1821d83554a70eec11956f3fc02624847338316766578c4b07bfccf6f8d1bab94965abc71d4986833c03143c7a906430f59b374b621

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409210234181\additional_file0.tmp

Filesize
2.6MB

MD5
0995a010e2f8b866c6abca90fa49130f

SHA1
f282871f9d6333f5bcc738062613c44567a58dc0

SHA256
74d4c26b0ee35a7431944e51aaf5ec4ab3338b6776bf44bdfdbc1e201b4fea76

SHA512
b98e4bd252a9bdb11a7f15c795910daabdbe8e0ba0fa86a5ee6f8167ff66a9b67790c51f700666239781ad46241926590588b6831d16e5057dcbfebe37c3ae6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.1MB

MD5
c3ad19d69141fa707540087edc297679

SHA1
0bba92b6e3371770989ef3597a9192d16b4feae2

SHA256
ff7ac32388dbd9ad3ef945b0e71518c2d869b9d9cc8fbbd14d3b0665850b0933

SHA512
28648a5c8c44def983cbdc4f6b48dc97d5fbda2a2f8ac3d93f85476f3492bc18986be97a5954e27fff1206779736b0ed90df1a04c35f30e1c182b6435cf33f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409210234177922968.dll

Filesize
4.6MB

MD5
af4d7038964957d0316e5cc585dcc65b

SHA1
5adf3de24387ba6aa548787586cca5c6186fddfa

SHA256
bac6f2f2f872837ceecf54e7ab04e620e5e0a951029e93920977bac0a2b0fe03

SHA512
b76b889e3ef159a363a85b0db84a67d478a04b1737b14582877622dc07fd12fb5dd20171d0f178bad1c7d9b77aebe76edee59ca9e5b8c75d983384e6dab33fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\opera.exe

Filesize
2.0MB

MD5
4a4bede31557f421d3a793f43b9942c4

SHA1
13311baf8f1f3a7c44639426c6b46bdcfca01c6a

SHA256
1e1e6c6f420aa2b0da323877f4fde6bda618c2e4b57fbb7dab854e9cb55a56a9

SHA512
a6cc2e4fb0843d2008dde36aa9ef35bd28e62b3ae8dd6a2f106f68d9cd8eecf371856911fd0034bee00b2cb593a924cc2518bc6665814e66409bdbbbab582b13

Download Submit
C:\Users\Admin\AppData\Local\setup88593726.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\Downloads\Delta V3.61.zip

Filesize
22.2MB

MD5
2692ff99a5f94520b6caa33bbd0cf05e

SHA1
0bf675fad129bc61f7c2763177a4314288cce4cd

SHA256
507641e3047216809af93a127af70a266e273cd95c1cfaa06605a753b9166388

SHA512
65d9665d29684325ca27a33ec187be8ccb142f98f662f888b944750ffcfcea43c496403331ab00e5e408dc5b1c3d39d7fc2defdecb1133a41dcc5d00c7c0392c

Download Submit
memory/1360-490-0x00000000064C0000-0x0000000006536000-memory.dmp

Filesize
472KB

Download
memory/1360-485-0x0000000000130000-0x0000000001236000-memory.dmp

Filesize
17.0MB

Download
memory/1360-496-0x000000000BA00000-0x000000000BA08000-memory.dmp

Filesize
32KB

Download
memory/1360-495-0x0000000006E60000-0x0000000006EFC000-memory.dmp

Filesize
624KB

Download
memory/1360-494-0x00000000069F0000-0x0000000006D44000-memory.dmp

Filesize
3.3MB

Download
memory/1360-493-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/1360-489-0x0000000006050000-0x0000000006100000-memory.dmp

Filesize
704KB

Download
memory/1360-488-0x0000000005E20000-0x0000000005E2E000-memory.dmp

Filesize
56KB

Download
memory/1360-487-0x0000000005E60000-0x0000000005E98000-memory.dmp

Filesize
224KB

Download
memory/1360-486-0x0000000005A60000-0x0000000005A68000-memory.dmp

Filesize
32KB

Download
memory/1772-100-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/1772-240-0x00000000713BE000-0x00000000713BF000-memory.dmp

Filesize
4KB

Download
memory/1772-84-0x00000000054A0000-0x00000000054BA000-memory.dmp

Filesize
104KB

Download
memory/1772-126-0x0000000005580000-0x000000000559D000-memory.dmp

Filesize
116KB

Download
memory/1772-76-0x00000000054C0000-0x00000000054F2000-memory.dmp

Filesize
200KB

Download
memory/1772-179-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/1772-51-0x00000000053F0000-0x0000000005418000-memory.dmp

Filesize
160KB

Download
memory/1772-116-0x00000000055F0000-0x000000000561C000-memory.dmp

Filesize
176KB

Download
memory/1772-92-0x0000000005530000-0x0000000005554000-memory.dmp

Filesize
144KB

Download
memory/1772-196-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/1772-108-0x00000000055A0000-0x00000000055A8000-memory.dmp

Filesize
32KB

Download
memory/1772-216-0x0000000008470000-0x000000000849E000-memory.dmp

Filesize
184KB

Download
memory/1772-176-0x0000000006C30000-0x0000000006C3C000-memory.dmp

Filesize
48KB

Download
memory/1772-337-0x00000000713B0000-0x0000000071B60000-memory.dmp

Filesize
7.7MB

Download
memory/1772-15-0x00000000713BE000-0x00000000713BF000-memory.dmp

Filesize
4KB

Download
memory/1772-185-0x0000000007D80000-0x0000000008334000-memory.dmp

Filesize
5.7MB

Download
memory/1772-241-0x00000000713B0000-0x0000000071B60000-memory.dmp

Filesize
7.7MB

Download
memory/1772-59-0x0000000005420000-0x000000000544E000-memory.dmp

Filesize
184KB

Download
memory/1772-64-0x00000000713B0000-0x0000000071B60000-memory.dmp

Filesize
7.7MB

Download
memory/1772-142-0x0000000005C60000-0x0000000005C72000-memory.dmp

Filesize
72KB

Download
memory/1772-68-0x0000000005450000-0x0000000005478000-memory.dmp

Filesize
160KB

Download
memory/1772-170-0x0000000006770000-0x0000000006AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-43-0x00000000053C0000-0x00000000053E4000-memory.dmp

Filesize
144KB

Download
memory/1772-35-0x0000000005370000-0x0000000005384000-memory.dmp

Filesize
80KB

Download
memory/1772-169-0x0000000006740000-0x0000000006762000-memory.dmp

Filesize
136KB

Download
memory/1772-163-0x0000000006340000-0x00000000063CC000-memory.dmp

Filesize
560KB

Download
memory/1772-168-0x00000000062C0000-0x00000000062CA000-memory.dmp

Filesize
40KB

Download
memory/1772-16-0x00000000005D0000-0x00000000009A8000-memory.dmp

Filesize
3.8MB

Download
memory/2476-333-0x0000000000F20000-0x0000000000F2C000-memory.dmp

Filesize
48KB

Download