Analysis
-
max time kernel
210s -
max time network
211s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-10-2024 16:10
Static task
static1
General
-
Target
Delta V3.61 b_04532601.exe
-
Size
5.7MB
-
MD5
15d1c495ff66bf7cea8a6d14bfdf0a20
-
SHA1
942814521fa406a225522f208ac67f90dbde0ae7
-
SHA256
61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
-
SHA512
063169f22108ac97a3ccb6f8e97380b1e48eef7a07b8fb20870b9bd5f03d7279d3fb10a69c09868beb4a1672ebe826198ae2d0ea81df4d29f9a288ea4f2b98d8
-
SSDEEP
98304:+j8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEL78rqNkIi+bn:+j8aatLPV6oPrk38rqNj
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 discord.com 105 discord.com -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\pmls.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\pmls.dll pmropn.exe File created C:\Windows\system32\pmls64.dll pmropn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 48 IoCs
description ioc Process File created C:\Program Files (x86)\PremierOpinion\pmservice.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmph.dll ContentI3.exe File created C:\PROGRA~2\PREMIE~1\RData.reg reg.exe File created C:\Program Files (x86)\PremierOpinion\pmservice.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmph.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmservice.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmph.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmph.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll ContentI3.exe File created C:\PROGRA~2\PREMIE~1\tms.bin pmservice.exe File created C:\PROGRA~2\PREMIE~1\snt.dat pmservice.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.ex_ ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmls64.dll ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn64.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\cacert.pem pmservice.exe File created C:\Program Files (x86)\PremierOpinion\catrust.pem pmservice.exe File opened for modification C:\PROGRA~2\PREMIE~1\snt.dat.bac pmservice.exe File created C:\Program Files (x86)\PremierOpinion\pmservice.ex_ ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmls.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn32.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.ex_ ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn.ex_ ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe ContentI3.exe File opened for modification C:\PROGRA~2\PREMIE~1\snt.dat pmservice.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe ContentI3.exe File created C:\Program Files (x86)\PremierOpinion\pmropn.ex_ ContentI3.exe File opened for modification C:\PROGRA~2\PREMIE~1\RData.reg reg.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe ContentI3.exe File opened for modification C:\Program Files (x86)\PremierOpinion\pmph.dll ContentI3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SystemTemp\REG2948.tmp reg.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Executes dropped EXE 17 IoCs
pid Process 3580 OperaGX.exe 4024 setup.exe 4284 setup.exe 4388 setup.exe 3336 setup.exe 572 setup.exe 3048 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 3728 assistant_installer.exe 1564 assistant_installer.exe 544 ContentI3.exe 4904 ContentI3.exe 860 ContentI3.exe 5004 ContentI3.exe 5084 pmropn.exe 4936 pmservice.exe 1216 svchost.exe 2660 pmropn.exe -
Loads dropped DLL 7 IoCs
pid Process 4024 setup.exe 4284 setup.exe 4388 setup.exe 3336 setup.exe 572 setup.exe 4936 pmservice.exe 4100 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delta V3.61 b_04532601.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaGX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates pmservice.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133745191301632127" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs pmservice.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{4FAE937F-BC97-4765-BDD5-B0BDB14D8E16} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Opera GXStable Delta V3.61 b_04532601.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable Delta V3.61 b_04532601.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings Delta V3.61 b_04532601.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D pmropn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 5c000000010000000400000000080000140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c7619000000010000001000000012cab0233db2f09a0336851de92237df2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a58102000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 19000000010000001000000012cab0233db2f09a0336851de92237df0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmropn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Delta V3.61.zip:Zone.Identifier chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1668 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5084 pmropn.exe 5084 pmropn.exe 5084 pmropn.exe 5084 pmropn.exe 4936 pmservice.exe 4936 pmservice.exe 2660 pmropn.exe 2660 pmropn.exe 2660 pmropn.exe 2660 pmropn.exe 760 chrome.exe 760 chrome.exe 1312 msedge.exe 1312 msedge.exe 2096 msedge.exe 2096 msedge.exe 5876 msedge.exe 5876 msedge.exe 6052 identity_helper.exe 6052 identity_helper.exe 2952 msedge.exe 2952 msedge.exe 2036 Delta.exe 2036 Delta.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4100 rundll32.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe Token: SeCreatePagefilePrivilege 760 chrome.exe Token: SeShutdownPrivilege 760 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 760 chrome.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 4264 Delta V3.61 b_04532601.exe 544 ContentI3.exe 4904 ContentI3.exe 860 ContentI3.exe 5004 ContentI3.exe 5084 pmropn.exe 2660 pmropn.exe 5352 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3580 4264 Delta V3.61 b_04532601.exe 80 PID 4264 wrote to memory of 3580 4264 Delta V3.61 b_04532601.exe 80 PID 4264 wrote to memory of 3580 4264 Delta V3.61 b_04532601.exe 80 PID 3580 wrote to memory of 4024 3580 OperaGX.exe 81 PID 3580 wrote to memory of 4024 3580 OperaGX.exe 81 PID 3580 wrote to memory of 4024 3580 OperaGX.exe 81 PID 4024 wrote to memory of 4284 4024 setup.exe 82 PID 4024 wrote to memory of 4284 4024 setup.exe 82 PID 4024 wrote to memory of 4284 4024 setup.exe 82 PID 4024 wrote to memory of 4388 4024 setup.exe 83 PID 4024 wrote to memory of 4388 4024 setup.exe 83 PID 4024 wrote to memory of 4388 4024 setup.exe 83 PID 4024 wrote to memory of 3336 4024 setup.exe 84 PID 4024 wrote to memory of 3336 4024 setup.exe 84 PID 4024 wrote to memory of 3336 4024 setup.exe 84 PID 3336 wrote to memory of 572 3336 setup.exe 85 PID 3336 wrote to memory of 572 3336 setup.exe 85 PID 3336 wrote to memory of 572 3336 setup.exe 85 PID 4024 wrote to memory of 3048 4024 setup.exe 86 PID 4024 wrote to memory of 3048 4024 setup.exe 86 PID 4024 wrote to memory of 3048 4024 setup.exe 86 PID 4024 wrote to memory of 3728 4024 setup.exe 87 PID 4024 wrote to memory of 3728 4024 setup.exe 87 PID 4024 wrote to memory of 3728 4024 setup.exe 87 PID 3728 wrote to memory of 1564 3728 assistant_installer.exe 88 PID 3728 wrote to memory of 1564 3728 assistant_installer.exe 88 PID 3728 wrote to memory of 1564 3728 assistant_installer.exe 88 PID 4264 wrote to memory of 4904 4264 Delta V3.61 b_04532601.exe 90 PID 4264 wrote to memory of 4904 4264 Delta V3.61 b_04532601.exe 90 PID 4264 wrote to memory of 4904 4264 Delta V3.61 b_04532601.exe 90 PID 4264 wrote to memory of 544 4264 Delta V3.61 b_04532601.exe 89 PID 4264 wrote to memory of 544 4264 Delta V3.61 b_04532601.exe 89 PID 4264 wrote to memory of 544 4264 Delta V3.61 b_04532601.exe 89 PID 4264 wrote to memory of 860 4264 Delta V3.61 b_04532601.exe 92 PID 4264 wrote to memory of 860 4264 Delta V3.61 b_04532601.exe 92 PID 4264 wrote to memory of 860 4264 Delta V3.61 b_04532601.exe 92 PID 4264 wrote to memory of 5004 4264 Delta V3.61 b_04532601.exe 94 PID 4264 wrote to memory of 5004 4264 Delta V3.61 b_04532601.exe 94 PID 4264 wrote to memory of 5004 4264 Delta V3.61 b_04532601.exe 94 PID 4264 wrote to memory of 1668 4264 Delta V3.61 b_04532601.exe 95 PID 4264 wrote to memory of 1668 4264 Delta V3.61 b_04532601.exe 95 PID 4264 wrote to memory of 1668 4264 Delta V3.61 b_04532601.exe 95 PID 544 wrote to memory of 5084 544 ContentI3.exe 96 PID 544 wrote to memory of 5084 544 ContentI3.exe 96 PID 544 wrote to memory of 5084 544 ContentI3.exe 96 PID 4936 wrote to memory of 4100 4936 pmservice.exe 99 PID 4936 wrote to memory of 4100 4936 pmservice.exe 99 PID 4936 wrote to memory of 832 4936 pmservice.exe 100 PID 4936 wrote to memory of 832 4936 pmservice.exe 100 PID 4936 wrote to memory of 832 4936 pmservice.exe 100 PID 4100 wrote to memory of 1216 4100 rundll32.exe 20 PID 5004 wrote to memory of 2660 5004 ContentI3.exe 102 PID 5004 wrote to memory of 2660 5004 ContentI3.exe 102 PID 5004 wrote to memory of 2660 5004 ContentI3.exe 102 PID 760 wrote to memory of 1844 760 chrome.exe 106 PID 760 wrote to memory of 1844 760 chrome.exe 106 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107 PID 760 wrote to memory of 944 760 chrome.exe 107
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Executes dropped EXE
PID:1216
-
C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_04532601.exe"C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_04532601.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\OperaGX.exeC:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exe --silent --allusers=0 --server-tracking-blob=MmEwMzQ4MTI5NTE2MjRjMjY1ZDlmNzNhYTcxYTllMzEzYTk2ZDQzMjY1ZGYyNDUwZTYzMTFlYmY4MzQzYWMzOTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1iOTEzNzZiMDkxM2E0OTM0OWU0OTFiMjdkOGYwOGQ1YSZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInRpbWVzdGFtcCI6IjE3MzAwNDU0MjguNzc5NSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9QQjVfMzU3NSIsImNvbnRlbnQiOiIzNTc1X0ZpbGVETSIsImlkIjoiYjkxMzc2YjA5MTNhNDkzNDllNDkxYjI3ZDhmMDhkNWEiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ZDJkMzQyNi0yNTgzLTQxYTUtOGI2MS0xODVjMGZiMGY3ZDQifQ==3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x33c,0x338,0x340,0x30c,0x344,0x71b28c5c,0x71b28c68,0x71b28c744⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4024 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241027161031" --session-guid=d726d371-56c8-4afc-9a65-99c6029dd747 --server-tracking-blob=NTQ0ZjNmNjRmYmEyYzFhOTg0OGU3Mjg2N2E2Y2M5OGEyMjhhNDYwZTJmNmEzZDBlYTQ5ZTNlZDBiYTA4NDg0YTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1iOTEzNzZiMDkxM2E0OTM0OWU0OTFiMjdkOGYwOGQ1YSZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMDA0NTQyOC43Nzk1IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiJiOTEzNzZiMDkxM2E0OTM0OWU0OTFiMjdkOGYwOGQ1YSIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjRkMmQzNDI2LTI1ODMtNDFhNS04YjYxLTE4NWMwZmIwZjdkNCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=40060000000000004⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSCFD5A8E7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x70be8c5c,0x70be8c68,0x70be8c745⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:572
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x864f48,0x864f58,0x864f645⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\PremierOpinion\pmropn.exeC:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:fF1XWXBSASgXaJnRCbPOGG -o:03⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
-
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\PremierOpinion\pmropn.exeC:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:CusHfQ244xbagadtYAPOPN -o:03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1668
-
-
C:\Program Files (x86)\PremierOpinion\pmservice.exe"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\pmls64.dll,UpdateProcess 12162⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
-
-
C:\Windows\SysWOW64\reg.exereg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /y2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff84028cc40,0x7ff84028cc4c,0x7ff84028cc582⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:32⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:82⤵PID:1424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3100,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:82⤵PID:3392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:82⤵PID:4032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:82⤵PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4372,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:82⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5100,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:3864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4580,i,9148051623699778848,1353005405572739938,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:82⤵
- NTFS ADS
PID:3852
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1556
-
C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe"C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4TfpR6wUUu2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff83cac3cb8,0x7ff83cac3cc8,0x7ff83cac3cd83⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:23⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:83⤵PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:13⤵PID:5732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3620 /prefetch:83⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3264 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:13⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:13⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:13⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11090138457184656716,15254491996387246427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:13⤵PID:5972
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5316
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5480
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5352
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54287f3d567dd93b16fe61c3fb4b8bc72
SHA177f48c789390662254ee28ada34b8028040c8bc5
SHA256d4742de57a47f9283ac8a0c2f80245aa86dca844fbb2a62daf9009a1c2b2fcda
SHA512fa655357a297971e26989d5608214b9af39e28ddba3d17b6dbb779fdf4cdab9bf4ee653ec670959844735f5db23b90c94ca2d38f11f2dc304839b1c0aa23d33e
-
Filesize
3KB
MD577eb3ade4c5b0db67c6e8a26f131073c
SHA1ad9e8c00174cc2e707f59df671f89a9d7fc2ffc7
SHA2569f19e7a7139cca8373b516ab1ae49c644aa1c8048e8c7aa5784774a081dcbb87
SHA51220eb7d34c80bb8d8a415bcdccf8e46cb36396c095ed1468b69c0cb91da915e3a14c7fd55247f68e64ff71cf8d336cc286c3662710ca6281840fdc2f1eb7ac6a1
-
Filesize
885KB
MD550a0c6c01cdc5d2690ccd1f1541f6670
SHA1c5e017a468efb70eabb1f861784edac62acb0e17
SHA256f9a853830949bb22d6f4d128d71a0ab923d9b5549c0dc8785c7de7d1a4eabf99
SHA512028d5a56c581d3751628c7503e83aa52c332678495943c3648049ae0b26a7190e98395ad205cf60896140d1a802c14a346a2d1553e7b53090c3f5beefd66e9b1
-
Filesize
1.1MB
MD5aa56cb7fd83150c3a75cd6a0de97eb78
SHA134415c5c8e57cfe9a7b4a498eacfe1403f3191ec
SHA256034e066829d28bbc81604250f6df721a35ab1c0898ab82bef6305ffada240765
SHA512765f12e5e060db934d0f4e8159bb9bd10cdbe797d79488a0dc88215a73e49101e279ca69e10c1775a5e161bb4dd02585724c7c87bbefdcdd047adb4277804fa2
-
Filesize
807KB
MD59d96ccb0d5ab5541b61d5c138d91796f
SHA1cf3ee3e66c8f9c23e3efd29978215461347e650d
SHA256379a1f1f02c8cb704f248c2f1ff79c8986f73c350a3bf6d9bbc93aeacd286e36
SHA51269ca7d96896d872eefa63f0c0bd9613526a914e99c4cf12b5d221315277aa64894d99d0f5ce9c5e0ef640d61c9202cd3d51ddb2ab4c55f8fdf60d24a8c1ff6ac
-
Filesize
6.7MB
MD5f27f98c1a877f9ca6f06c23bed4014ca
SHA125a231319659c30d6f86a5c9cdd1747d7c471542
SHA2561ed47933c9f33c4860ecc0bf1ba7525212aa00054037a9a51a8d8f5ce3b821bd
SHA512f054a618d2f8e7a829c26548312b436e21058ee1ff64b40e7c19be2bde037003c21332af3c60e2fd92675af80526ef6faf84b8c1d7a095bb2c4d0b799e66599c
-
Filesize
245KB
MD56e4d6b68e9565c4cc7791b00c2094ff9
SHA1965a00a5a8bb05b35fbaa357951779ea3b71e392
SHA25665d6f18e1b366aff5343c3f6628041329e7c1375d18ba57076b19bf5f48bc483
SHA5120cb1396822c7350057cfc7280e1c67ccf1e1a2206347a10025e285f00e9364563685ba5282775960a9329511fd321a631222c87ae7ca8106eca00fb78722b20f
-
Filesize
304KB
MD5ae5bbcc69b05359d0d5cc72ca6a1262e
SHA16843bd883d50216be44065411a983a4bcccdcc91
SHA25612bfd1007634138b22c56ead24db02a1fe3a4d4b7fe04d30cd07a0ff5d4c8425
SHA5126417aaeb4ccd86504bc1f83e32c91a60920e98fff833c02fdbef974819a3288cab0c96d6b114ceed4432c305d49120cacbc7e0da69c911f4035aadfbec7a91de
-
Filesize
4.2MB
MD5f6f38aa63da907a39618ec6d001945df
SHA17f1d903b9b7a7545ff3fa1898e68ae7b6b0283ef
SHA2568dde9bb88407384d1fb709922ec5a8c8ceb41595785f90df8736b1021de91b4d
SHA5121aa222cd7a93ac029705ec9cc1999316ade5389f4b3eae0ef8b013b89e0249252190026a4cdb4ff77f8b4c3033dbca05dbf88e3176d22086923dc914a6239003
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD52e9a041a9fb5a9330c2b55bcec27d64c
SHA17a23efd7e062e1a24a18351369c76c68a144b31f
SHA2568b54de909c22785430382b2d35a62bb53785bf199063451099975e289ee8e419
SHA51230df31fe2faad511201b3614adec80ee9a630a90b40280f11fa049691dd4d47920efd7287586a5a081b8307fb1b23dc41efa75f90e0b6e3c1460ae364fc98ab0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD582b0840fb6de2cefcf89cd264e581c41
SHA1324702a17d80e10c1c343a1423bfd5013edeb53f
SHA256ad8f624c57f3092bdbc0d0817398079dcf92a93e3f4f56f073a433ebce65eb61
SHA5122ed827963467de1a601076fb2753b7f958ad1a3e06a46602c97925ea9b8b3b5cbffada6c8eee194e5a1c594efaeb5e8d4c740bc1d2bcb6bff7bfbd4ce39875ff
-
Filesize
64KB
MD59e8bb5e42280edeaac4745d924fb09dc
SHA125a6ef734db4b65846ea3c975a0774f583d69699
SHA256f6ff7aa82a563abadc9c1efa669379ea8121e0f9513f21afc9df53e7ecc0de28
SHA5129ebc17129d5d7841249e2cf180fe766941910cc8d893e4083ee16dea08ec7c29e8bcea33a79a7be32b85a55a565e941d5acad8f96cec11ed1ee798cef26d3c64
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
992B
MD5155824c70a271f41cef12339c7dc5b8a
SHA1d0a9a20fdbae05efabd23e76c4284a7d3ea83fbd
SHA2564194acc3e1ba056f1ae718480d10e5fd2bc83735a9085007bb83b99546556174
SHA512a598598ba4ebe6035620c830a5268f1767d9c37c0dd13fd177f995ad42b91da2a1880f737944bc39a134b46188447467d2c77309bf0368e10acb748f29f92766
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2c1b462a-5d57-4ba1-aa2e-1ccbabcdbf5f.tmp
Filesize9KB
MD562424baf6d7fd2c249d13b5fa507425a
SHA1e4dbccf76e980eab460f4c10bfa31671b23f5a54
SHA256396b0ba91d3284f012c63034b26be9451b167a4399b9706a330485854815f35f
SHA5120ca1744ce0075b94009832a3b231abacd57a3c63d2bc7314edda76111b20efc037ae8a46c50a0358b0fc3bac309c3d87183a135c049df39e12257bbd1bbdb4b9
-
Filesize
649B
MD55220d5f9cb16ceacdd3e81e7b25a7b1b
SHA191f3c4bab343d8452861ee51fcf4e6a73caffeca
SHA2569e2bb8d6575e6b1b6e97fb55b4cfd6e11fa2c9a970805b5310e181a78a767591
SHA512187011ded12ffc7e7419b70a8d5161f288b4ab7fe57c8dec47b564959586ea68aa2ea024c136fa4007efd46b24e85a1266be68d884c7f3dc5d797c9bcb78aafe
-
Filesize
2KB
MD54be89b1d7f0386ac025b3ac476a30397
SHA13975428a95e1617991f56b8bab5fc5f1d62eb73b
SHA256aed3ce629a2e853daa0abbae4b3439d4a70ca357e89e7dfd65a560211c78c49c
SHA512e1a110938eb3f58ff5632979e4261a99232154cb6a2bf44effca30c8bb9e3074e7facc035767efb85298436f96897f7b437eadc7514cb9b8af782c8ff4b4a507
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD57a5c9afd362be018d544cd4f8bdbc690
SHA190e353dd116210eafd345f307a11ba5a4de4adc2
SHA256fdf0351f3b601a503bf05cd8179b520087b6e2998548bb27b36eaf03a58c170d
SHA5128b7e3f9911bcbdfa1ace29f87a8620030649e0040d4754adaccd1a07512dd54439bae4ffc1f69bc767fb2cb34f1eff9771424606cace5cd1b8782a32c8b7b434
-
Filesize
9KB
MD5f9db1cc1a7ab32d8b9b266257ab8bd49
SHA16a5f6a45989523b9245ddee8125ede2d2bfd8e13
SHA2568e8daa87f402cf3b5fd5d8b8026db6f7b9620c76598d4977d530dfd7a29d5821
SHA512e8b4ea46ef4f09f195404f094369e216b144ac9f53c7a360b690d5ff4785e28788b7181324704778fc596c5ee646dc94eb987dd2e6f414d70beee194cd7c3a04
-
Filesize
9KB
MD5c79d128d09a051a46a6ef39efd412c8f
SHA1a8ce55a87aa534757fe2bc8ad50d97828e1e3c61
SHA256cbddd96c4199c29711211c3bd561f5376ede297140d0dd6d971d81c4b9fcabec
SHA5122d233b227198a51604bbb8f28e390e0e784bae473e05c580d2dc64bd9bb0c2bce38902497e5ea49a1bf92152cd122e8c2e843a18e552f976034b63b1ffb2ce5f
-
Filesize
9KB
MD54ac6201b0a20123da9ca61bc8e80149a
SHA1f774a5de649fd5711ca0c099a772b8e48fb278f6
SHA256008c14694cc813fe3da4fe66ae014adf91ca0e358d487bc62a7a5a2187b9f275
SHA512241e79a7a5a67222af7ec4318bfde42edace847a9c8dfd8fde55eb8f88d75c14f62860a8ccb3b0632b27976fe8da9c43eb988f5a6928c1a3552171f6900403d1
-
Filesize
9KB
MD52059a44baaa9a3dd97e1382833922194
SHA1043deb7b2b39ffd3b49e6f196fcfc338e41065d6
SHA2563fa66e4332ac0c3aa558b6c3f8e567ff57ac12d8bd6bf52afcfb4ee84d823c64
SHA5121b5029cd6268a559e8604f7509824b1823df52b0dfe25a9466df950aca3fac459447dc282851705b50705e0e0102afc7d44cbf0264cda968cc482db1b920daf8
-
Filesize
9KB
MD5e64b3c7336f9dde3bce708be69c680a5
SHA17173d5de4c26dd95e99e75c64e97312f1644c33b
SHA256abc994d24cbc6510a200d019f77dc084ee46931998e45ce04853b702151e93d0
SHA512a4a5278d1584ee78d6085738ddc04eb2c0f4fa4c0330e5e788eab84969de3ae264d3341824da4da943b27e8c0f958805577b4e1f577b99728b834dbc9be881bb
-
Filesize
9KB
MD54f13aa66039e5d44da317bbcbc7d1bbc
SHA119014a19859b3fcf1e5326de0582ec7be97015aa
SHA256a5c3b67fa6acd2fec6ab7baebe529d68d689766133e9d5a92d93aa65b0b7aa45
SHA5127f560f324e3a499f3d56f49f79f6bff3f2a83fb57dcc28704b38e5b05a8b9183da63a58787e43c7cc00549f6a0c82a3eb5cc1eb4c143c46dab3842dfc4a86dbf
-
Filesize
15KB
MD5e8aa5dd6025ba55c9dd78fbb3b84bc83
SHA1467e526ed41d76bbaa7fe5e8723208971c9d435b
SHA25600addb4989e816863428a48981285f7ea91d36b306f08e6174691381c085d0b4
SHA5125f90b73b8789689fc242a6565ca260193435bc5bc900335032d68bd72993b6edd84d03d8e42ce9bc3b99b21b1c3e6e7b09c83e580be46e8eb5636cb088722dd6
-
Filesize
232KB
MD5511603b8dc8ce2a14a1dddd923cd07fc
SHA13a0de34d27197d185f8b5b07cae8e30770f0dc4d
SHA256d5f3891ca3a80134c138407ef80eb6bd4d3bb79cd78fa1eb852cd21d7eda45e6
SHA5123a24a9da135f5be871029e655d1a17742956b186f7b8eaa7dcd69ec13bdfafd60fe31ff00f73f277c484cafc5cca698e7975ce5f2bb4046f3cfaa9bddc49f429
-
Filesize
232KB
MD5bbd59cf00bd9d7b6432b0e403974a463
SHA1a836bd21e0cb43fc1b1743dc58f3e4e507d7e3b1
SHA25656d2d4a116ea2dd97f66dfebb0c6bea26241facdd4c3db5c08449ad3f294d546
SHA512f30eec02a24c66d15c9b4396e4a8a4158369021450ab5e317c95ba17438fcff9dcb6ca8410a893055f4655301fdbbc3bad53698b842f99a17fa622301af98929
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD5abb742b66aa6a1603a1b30de1d8e717b
SHA148aca798f0c65dd33e8c5f8efd65185ddc68a166
SHA256f5b081c8ca7975d4f8f8713b940d10cfb6f340e0c85125d1376cb703c577f542
SHA512155e5ae628f3f2408ebc478da3f032b8352f40c36be4057b9401b2bb43e0fb3a7923c8c7051ed108356dce54a23e24efe1ce2fc1352b6b7693c069e19ecae798
-
Filesize
6KB
MD58f94ac3e1e8463c681a8cb6ab12b1307
SHA16e464e2ad3b21b88be9a6e7ac8631f34524c26e9
SHA256a5b29d042944ce1d64773ac2f56949989b5964f6d95f76b1536375563ec2eecd
SHA512563e5a98d52b035918163091e019b1846a39860dc8871261519e4af74535220bc79ac315a916c28418e7bd19a72aa4aef192bf0ab8168409faa81271d2aeb9eb
-
Filesize
5KB
MD57a60cf7a127f461320436d22049e9ca8
SHA1e66431e11480011484f168977422b75f6d8f1083
SHA256a805017d5c844c9f409d254af47d36a5055d54af64241bd062a924001b82c532
SHA512bbd326e11e7aa8d6117183549a94adb2b365d478360c332d354480ce20f5f7c79bee001907bfef5a9b505de322c5be490f0c46958da1404fa7c945e19f8d782f
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5ec9614a74091c12b90ff0f6a2136ce47
SHA1c132e27fe009e27dab7c860688040383b8ae057a
SHA256e524587d64de0e5dec891481f2b1238f556dac8bf254ad05306e3140883e5aa6
SHA51298e5e412c306abab7c206d957e7c4fcb17371b350a67d3249c8f732da60bdcb70eb2c6857dec57cd2cf51410b1a7dd7436993e1f399164d46a31eaf016016cee
-
Filesize
3.2MB
MD50131dac93a71c2de2f1ec01fe0451ce2
SHA13d14184756cac54126adc60f603cbc003680c580
SHA25671b17e95592ee39580a6989464f2b45d1008254e8f5f87c2fed4ea0a217908d4
SHA51272504118727f52153bb164e6b5a43f3b2a950c57ba845f6521875d906e0f2868200119e7b5898a9c25e4c4a5059fd60f195bb6da30d63c604e28ff741f6ebbe8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ce1600c3888d89162c8032344ab20842
SHA145b3b3e3364a976862b02dc3d2f68a672326ca77
SHA256bd0c29fc13c6b6af79cb8da57bb87d7ea0140609b9364a3771ed85a6961f99e1
SHA51278b49956f0fe18e5511bee752b521c4806af39fb43ba0232d11fa1724b6eaa8863658f123b09bb8b07ffe2f5375f37302092681f02a1e896e1af9182dffe3cbd
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410271610311\assistant\assistant_installer.exe
Filesize1.8MB
MD54c8fbed0044da34ad25f781c3d117a66
SHA18dd93340e3d09de993c3bc12db82680a8e69d653
SHA256afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481
-
Filesize
6.5MB
MD5a910474aad1eea96921d359e1763d2fd
SHA18f663c05861ce93a1418607bd208c21dc7263237
SHA2565354a7fa4ef330546d79e1ea02c456084400d0b47d52aaa43b088340981f461e
SHA5128654f3c5eb98dd4097ed5367771f2f3487a4c90f95754ca39b8900ab52c2c78ab6f90da339c1cce06364ca242d49901a7ebbac92cf14955e3a267ea988c194e4
-
Filesize
6.0MB
MD594a99783bf5a9aeb8a0c8adcbb144ac8
SHA1f5682606d1a3774a44d58a42391533899578897b
SHA2565d8acd8032a3f3147b50e88dd1141312f9232f46ee0cb9487efae3c23545a0e9
SHA512f545d11b103b79a00f8118000a447b26f76520f9ae4c4e78542237eb11b931b98900f62065ae3fbff747a79d6954d15a7ccb123b2adcfc81df71c17a6cf840a2
-
Filesize
3.6MB
MD52196dcacc7817baa543c8f582059b3e2
SHA168dc95911e6c287683caf5b104e869ef69089fed
SHA256b6ac2bdd5c9baa2a03b6ac9f2650566b7e03b393b31f7917397d013155c95b62
SHA5125e57c96c0225d5664e010760a83080acb0f5ee64077ee97c621865e461a1d549c0ec249017f52391afc3ebbc92d7f044faa9e437090cb22cc59d79d9f7cec002
-
Filesize
3.8MB
MD5bf6eed6cdc17a0130189a33a55ef5209
SHA1e337f5a0931f69c464f162385f1330b4d27b372f
SHA256ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168
SHA51290d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d
-
Filesize
6.6MB
MD59c352c4c40c4fabda212aa0673090fe2
SHA1c15a3513086c7ecb66261f4b064a72c10f1ce8e9
SHA256c06ce324c02aa663453592449be91ac2e46db9c87a10cd2280e93738b81af29e
SHA512de9f35ac234cc2caea9fbe632b52fa869db90cc2fec908b98b0fef417194c4edc4884f7d79a9f46c39c91bff762bf63bf888be01c6f48e271eabedf94fa7b005
-
Filesize
4.2MB
MD54ef95918e313c7ca01084629416fc714
SHA15bdaba6920d3f4d1f8ea47ce693276530b5f2a9c
SHA256303707068aab06ab0341178558c28ce1670d10f16c39522859c4f21097a87ee9
SHA51275861731e9ec1a43741b2b84f60677e9fdf26d5db8d6e4e91297f826fc2c357272c18cede7f64c42798f5459900b33d693ababe4e1140e4cfc54ef7a04af633a
-
Filesize
652B
MD552b83eb55e453daa1f00ceb853b5e039
SHA16baf3e01c31b8143c3528bec10f6b2fc6a6c919b
SHA25659e46737a3a8a3a76ae2437f0ebf6ed5c0b8744bb18e322caa2bd084b276b7ca
SHA51278a359240e38431b388506c374ca16566a8812d80f37c6c57bbd110981952f81aba7b49dcf96bf75d5f68c44cefaadf0a56b7b68f7375420021561c09c4706a0
-
Filesize
57B
MD57183e8105b59f84f65b707323f48231f
SHA127ae5e5055b416ea811398ad83d125cb280e1034
SHA256e60428d7b87a4e7b3232f033046f0ebe84f3119514e48441c997fced0a8948ad
SHA512fcfa5438e1d05d6c04f8d652f7c141c35c06a1d988e401da7575b051ed56cc2cfd897238f4aaca6097f9562d0617ec62e087020f54e4fb0fb71ad5ff09785dd8
-
Filesize
40B
MD54c1e10257032596eb201e3694f1592da
SHA106e515ab6af99bd6e36c4b463beb4aed851bb74e
SHA256fa83a99687679b051108fe8f9ff39264bf7298d64ff969c2a82f69f5e331b9b1
SHA5120ce87741d21d0cf30fbf46eb9e2b9868d11e73772594ce0a3f997d93476f3f765adef5d27c4aea9871ba58f8662e677aa0ce1cf8e92d565d3714ae7f22fa8e1f
-
Filesize
40B
MD503200250201d5f98df580b7189a0a72d
SHA100406c539af3351dd6cb42e429d84ef61ddd6a10
SHA256e8f46bdec676cbbc44ada66145141b0216a113566ff17718d3f6b63268d51ee4
SHA512f3365e05c815e68094266093eb8ed9e5d54768c4f37aa40cbf93a69e529da4ac1b8d2fdb778854f702f5639d1d52145715443a3f755c1933cfc61b25875d6248
-
Filesize
3KB
MD55eb3f79998f415230ece745e0b976652
SHA17164de9c5ae0d4bfd419ac2476930ee09bdf42db
SHA25695af85c2a91781de810c7edcdef1625dc61d7b76621f07db95dc2952e3de7623
SHA51277c678598fa6ef350dcf61887afc41f4a8a5fc1644988a4baf65c8d710b614e6f782b196b56336bdd1201fd39efd279f6f550da9dde2291948b9e676ea55b5c4