bb2b16ba32f1cee52412fa59dd1a6d40dc23df261b976f7c6adbd1b310dc97ca

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nvda_2022.3.2.exe
Size

27.0MB
MD5

620a33b990761a4802b82b6ce657620a
SHA1

605b2d0c16e0a903118012e5dfc05165114cf816
SHA256

bb2b16ba32f1cee52412fa59dd1a6d40dc23df261b976f7c6adbd1b310dc97ca
SHA512

c6caeab9c33b40f7d46ce43b62f43fea242c31c47aed471bc698b3ff28b5470a3b86dd7bdffd55c013a4a4df83bc07e7ccd0ded4da00f44c501ec1f20d9752ad
SSDEEP

786432:XU3ZWZ8QctA7Z8grIFAYdslWwyAkduPuQ9:XUJO8QctGArslWwybduPuQ9

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\documentation\en\changes.html

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <META NAME="generator" CONTENT="http://txt2tags.sf.net"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> <LINK REL="stylesheet" TYPE="text/css" HREF="styles.css"> <TITLE>What's New in NVDA</TITLE> </HEAD><BODY BGCOLOR="white" TEXT="black"> <P ALIGN="center"><CENTER><H1>What's New in NVDA</H1> <FONT SIZE="4"> </FONT></CENTER> <H2>2022.3.2</H2> <P> This is a minor release to fix regressions with 2022.3.1 and address a security issue. </P> <H3>Security Fixes</H3> <UL> <LI>Prevents possible system level access for unauthenticated users. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-3jj9-295f-h69w" target="_blank">GHSA-3jj9-295f-h69w</A>) </UL> <P></P> <H3>Bug Fixes</H3> <UL> <LI>Fixes a regression from 2022.3.1 where certain functionality was disabled on secure screens. (<A HREF="https://github.com/nvaccess/nvda/issues/14286" target="_blank">#14286</A>) <LI>Fixes a regression from 2022.3.1 where certain functionality was disabled after sign-in, if NVDA started on the lock screen. (<A HREF="https://github.com/nvaccess/nvda/issues/14301" target="_blank">#14301</A>) </UL> <P></P> <H2>2022.3.1</H2> <P> This is a minor release to fix several security issues. Please responsibly disclose security issues to <A HREF="mailto:[email protected]" target="_blank">[email protected]</A>. </P> <H3>Security Fixes</H3> <UL> <LI>Fixed exploit where it was possible to elevate from user to system privileges. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-q7c2-pgqm-vvw5" target="_blank">GHSA-q7c2-pgqm-vvw5</A>) <LI>Fixed a security issue allowing access to the python console on the lock screen via a race condition for NVDA startup. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-72mj-mqhj-qh4w" target="_blank">GHSA-72mj-mqhj-qh4w</A>) <LI>Fixed issue where speech viewer text is cached when locking Windows. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-grvr-j2h8-3qm4" target="_blank">GHSA-grvr-j2h8-3qm4</A>) </UL> <P></P> <H3>Bug Fixes</H3> <UL> <LI>Prevent an unauthenticated user from updating settings for speech and Braille viewer on the lock screen. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-grvr-j2h8-3qm4" target="_blank">GHSA-grvr-j2h8-3qm4</A>) </UL> <P></P> <H2>2022.3</H2> <P> A significant amount of this release was contributed by the NVDA development community. This includes delayed character descriptions and improved Windows Console support. </P> <P> This release also includes several bug fixes. Notably, up-to-date versions of Adobe Acrobat/Reader will no longer crash when reading a PDF document. </P> <P> eSpeak has been updated, which introduces 3 new languages: Belarusian, Luxembourgish and Totontepec Mixe. </P> <H3>New Features</H3> <UL> <LI>In the Windows Console Host used by Command Prompt, PowerShell, and the Windows Subsystem for Linux on Windows 11 version 22H2 (Sun Valley 2) and later: <UL> <LI>Vastly improved performance and stability. (<A HREF="https://github.com/nvaccess/nvda/issues/10964" target="_blank">#10964</A>) <LI>When pressing <CODE>control+f</CODE> to find text, the review cursor position is updated to follow the found term. (<A HREF="https://github.com/nvaccess/nvda/issues/11172" target="_blank">#11172</A>) <LI>Reporting of typed text that does not appear on-screen (such as passwords) is disabled by default. It can be re-enabled in NVDA's advanced settings panel. (<A HREF="https://github.com/nvaccess/nvda/issues/11554" target="_blank">#11554</A>) <LI>Text that has scrolled offscreen can be reviewed without scrolling the console window. (<A HREF="https://github.com/nvaccess/nvda/issues/12669" target="_blank">#12669</A>) <LI>More detailed text formatting information is available. (<A HREF="https://github.com/microsoft/terminal/pull/10336" target="_blank">microsoft/terminal PR 10336</A>) </UL> <LI>A new Speech option has been added to read character descriptions after a delay. (<A HREF="https://github.com/nvaccess/nvda/issues/13509" target="_blank">#13509</A>) <LI>A new Braille option has been added to determine if scrolling the display forward/back should interrupt speech. (<A HREF="https://github.com/nvaccess/nvda/issues/2124" target="_blank">#2124</A>) </UL> <P></P> <H3>Changes</H3> <UL> <LI>eSpeak NG has been updated to 1.52-dev commit <CODE>9de65fcb</CODE>. (<A HREF="https://github.com/nvaccess/nvda/issues/13295" target="_blank">#13295</A>) <UL> <LI>Added languages: <UL> <LI>Belarusian <LI>Luxembourgish <LI>Totontepec Mixe </UL> </UL> <LI>When using UI Automation to access Microsoft Excel spreadsheet controls, NVDA is now able to report when a cell is merged. (<A HREF="https://github.com/nvaccess/nvda/issues/12843" target="_blank">#12843</A>) <LI>Instead of reporting "has details" the purpose of details is included where possible, for example "has comment". (<A HREF="https://github.com/nvaccess/nvda/issues/13649" target="_blank">#13649</A>) <LI>The installation size of NVDA is now shown in Windows Programs and Feature section. (<A HREF="https://github.com/nvaccess/nvda/issues/13909" target="_blank">#13909</A>) </UL> <P></P> <H3>Bug Fixes</H3> <UL> <LI>Adobe Acrobat / Reader 64 bit will no longer crash when reading a PDF document. (<A HREF="https://github.com/nvaccess/nvda/issues/12920" target="_blank">#12920</A>) <UL> <LI>Note that the most up to date version of Adobe Acrobat / Reader is also required to avoid the crash. </UL> <LI>Font size measurements are now translatable in NVDA. (<A HREF="https://github.com/nvaccess/nvda/issues/13573" target="_blank">#13573</A>) <LI>Ignore Java Access Bridge events where no window handle can be found for Java applications. This will improve performance for some Java applications including IntelliJ IDEA. (<A HREF="https://github.com/nvaccess/nvda/issues/13039" target="_blank">#13039</A>) <LI>Announcement of selected cells for LibreOffice Calc is more efficient and no longer results in a Calc freeze when many cells are selected. (<A HREF="https://github.com/nvaccess/nvda/issues/13232" target="_blank">#13232</A>) <LI>When running under a different user, Microsoft Edge is no longer inaccessible. (<A HREF="https://github.com/nvaccess/nvda/issues/13032" target="_blank">#13032</A>) <LI>When rate boost is off, eSpeak's rate does not drop anymore between rates 99% and 100%. (<A HREF="https://github.com/nvaccess/nvda/issues/13876" target="_blank">#13876</A>) <LI>Fix bug which allowed 2 Input Gestures dialogs to open. (<A HREF="https://github.com/nvaccess/nvda/issues/13854" target="_blank">#13854</A>) </UL> <P></P> <H3>Changes for Developers</H3> <UL> <LI>Updated Comtypes to version 1.1.11. (<A HREF="https://github.com/nvaccess/nvda/issues/12953" target="_blank">#12953</A>) <LI>In builds of Windows Console (<CODE>conhost.exe</CODE>) with an NVDA API level of 2 (<CODE>FORMATTED</CODE>) or greater, such as those included with Windows 11 version 22H2 (Sun Valley 2), UI Automation is now used by default. (<A HREF="https://github.com/nvaccess/nvda/issues/10964" target="_blank">#10964</A>) <UL> <LI>This can be overridden by changing the "Windows Console support" setting in NVDA's advanced settings panel. <LI>To find your Windows Console's NVDA API level, set "Windows Console support" to "UIA when available", then check the NVDA+F1 log opened from a running Windows Console instance. </UL> <LI>The Chromium virtual buffer is now loaded even when the document object has the MSAA <CODE>STATE_SYSTEM_BUSY</CODE> exposed via IA2. (<A HREF="https://github.com/nvaccess/nvda/issues/13306" target="_blank">#13306</A>) <LI>A config spec type <CODE>featureFlag</CODE> has been created for use with experimental features in NVDA. See <CODE>devDocs/featureFlag.md</CODE> for more information. (<A HREF="https://github.com/nvaccess/nvda/issues/13859" target="_blank">#13859</A>) </UL> <P></P> <H4>Deprecations</H4> <P> There are no deprecations proposed in 2022.3. </P> <H2>2022.2.4</H2> <P> This is a patch release to fix a security issue. </P> <H3>Bug Fixes</H3> <UL> <LI>Fixed an exploit where it was possible to open the NVDA python console via the log viewer on the lock screen. (<A HREF="https://github.com/nvaccess/nvda/security/advisories/GHSA-585m-rpvv-93qg" target="_blank">GHSA-585m-rpvv-93qg</A>) </UL> <P></P> <H2>2022.2.3</H2> <P> This is a patch release to fix an accidental API breakage introduced in 2022.2.1. </P> <H3>Bug Fixes</H3> <UL> <LI>Fixed a bug where NVDA did not announce "Secure Desktop" when entering a secure desktop. This caused NVDA remote to not recognize secure desktops. (<A HREF="https://github.com/nvaccess/nvda/issues/14094" target="_blank">#14094</A>) </UL> <P></P> <H2>2022.2.2</H2> <P> This is a patch release to fix a bug introduced in 2022.2.1 with input gestures. </P> <H3>Bug Fixes</H3> <UL> <LI>Fixed a bug where input gestures didn't always work. (<A HREF="https://github.com/nvaccess/nvda/issues/14065" target="_blank">#14065</A>) </UL> <P></P> <H2>2022.2.1</H2> <P> This is a minor release to fix a security issue. Please responsibly disclose security issues to <A HREF="mailto:[email protected]" target="_blank">[email protected]</A>. </P> <H3>Security Fixes</H3> <UL> <LI>Fixed exploit where it was possible to run a python console from the lockscreen. (GHSA-rmq3-vvhq-gp32) <LI>Fixed exploit where it was possible to escape the lockscreen using object navigation. (GHSA-rmq3-vvhq-gp32) </UL> <P></P> <H3>Changes for Developers</H3> <H4>Deprecations</H4> <P> These deprecations are currently not scheduled for removal. The deprecated aliases will remain until further notice. Please test the new API and provide feedback. For add-on authors, please open a GitHub issue if these changes stop the API from meeting your needs. </P> <UL> <LI><CODE>appModules.lockapp.LockAppObject</CODE> should be replaced with <CODE>NVDAObjects.lockscreen.LockScreenObject</CODE>. (GHSA-rmq3-vvhq-gp32) <LI><CODE>appModules.lockapp.AppModule.SAFE_SCRIPTS</CODE> should be replaced with <CODE>utils.security.getSafeScripts()</CODE>. (GHSA-rmq3-vvhq-gp32) </UL> <P></P> <H2>2022.2</H2> <P> This release includes many bug fixes. Notably, there are significant improvements for Java based applications, braille displays and Windows features. </P> <P> New table navigation commands have been introduced. Unicode CLDR has been updated. LibLouis has been updated, which includes a new German braille table. </P> <H3>New Features</H3> <UL> <LI>Support for interacting with Microsoft Loop Components in Microsoft Office products. (<A HREF="https://github.com/nvaccess/nvda/issues/13617" target="_blank">#13617</A>) <LI>New table navigation commands have been added. (<A HREF="https://github.com/nvaccess/nvda/issues/957" target="_blank">#957</A>) <UL> <LI><CODE>control+alt+home/end</CODE> to jump to first/last column. <LI><CODE>control+alt+pageUp/pageDown</CODE> to jump to first/last row. </UL> <LI>An unassigned script to cycle through language and dialect switching modes has been added. (<A HREF="https://github.com/nvaccess/nvda/issues/10253" target="_blank">#10253</A>) </UL> <P></P> <H3>Changes</H3> <UL> <LI>NSIS has been updated to version 3.08. (<A HREF="https://github.com/nvaccess/nvda/issues/9134" target="_blank">#9134</A>) <LI>CLDR has been updated to version 41.0. (<A HREF="https://github.com/nvaccess/nvda/issues/13582" target="_blank">#13582</A>) <LI>Updated LibLouis braille translator to <A HREF="https://github.com/liblouis/liblouis/releases/tag/v3.22.0" target="_blank">3.22.0</A>. (<A HREF="https://github.com/nvaccess/nvda/issues/13775" target="_blank">#13775</A>) <UL> <LI>New braille table: German grade 2 (detailed) </UL> <LI>Added new role for "busy indicator" controls. (<A HREF="https://github.com/nvaccess/nvda/issues/10644" target="_blank">#10644</A>) <LI>NVDA now announces when an NVDA action cannot be performed. (<A HREF="https://github.com/nvaccess/nvda/issues/13500" target="_blank">#13500</A>) <UL> <LI>This includes when: <UL> <LI>Using the NVDA Windows Store version. <LI>In a secure context. <LI>Waiting for a response to a modal dialog. </UL> </UL> </UL> <P></P> <H3>Bug Fixes</H3> <UL> <LI>Fixes for Java based applications: <UL> <LI>NVDA will now announce read-only state. (<A HREF="https://github.com/nvaccess/nvda/issues/13692" target="_blank">#13692</A>) <LI>NVDA will now announce disabled/enabled state correctly. (<A HREF="https://github.com/nvaccess/nvda/issues/10993" target="_blank">#10993</A>) <LI>NVDA will now announce function key shortcuts. (<A HREF="https://github.com/nvaccess/nvda/issues/13643" target="_blank">#13643</A>) <LI>NVDA can now beep or speak on progress bars. (<A HREF="https://github.com/nvaccess/nvda/issues/13594" target="_blank">#13594</A>) <LI>NVDA will no longer incorrectly remove text from widgets when presenting to the user. (<A HREF="https://github.com/nvaccess/nvda/issues/13102" target="_blank">#13102</A>) <LI>NVDA will now announce the state of toggle buttons. (<A HREF="https://github.com/nvaccess/nvda/issues/9728" target="_blank">#9728</A>) <LI>NVDA will now identify the window in a Java application with multiple windows. (<A HREF="https://github.com/nvaccess/nvda/issues/9184" target="_blank">#9184</A>) <LI>NVDA will now announce position information for tab controls. (<A HREF="https://github.com/nvaccess/nvda/issues/13744" target="_blank">#13744</A>) </UL> <LI>Braille fixes: <UL> <LI>Fix braille output when navigating certain text in Mozilla rich edit controls, such as drafting a message in Thunderbird. (<A HREF="https://github.com/nvaccess/nvda/issues/12542" target="_blank">#12542</A>) <LI>When braille is tethered automatically and the mouse is moved with mouse tracking enabled, text review commands now update the braille display with the spoken content. (<A HREF="https://github.com/nvaccess/nvda/issues/11519" target="_blank">#11519</A>) <LI>It is now possible to pan the braille display through content after use of text review commands. (<A HREF="https://github.com/nvaccess/nvda/issues/8682" target="_blank">#8682</A>) </UL> <LI>The NVDA installer can now run from directories with special characters. (<A HREF="https://github.com/nvaccess/nvda/issues/13270" target="_blank">#13270</A>) <LI>In Firefox, NVDA no longer fails to report items in web pages when aria-rowindex, aria-colindex, aria-rowcount or aria-colcount attributes are invalid. (<A HREF="https://github.com/nvaccess/nvda/issues/13405" target="_blank">#13405</A>) <LI>The cursor does not switch row or column anymore when using table navigation to navigate through merged cells. (<A HREF="https://github.com/nvaccess/nvda/issues/7278" target="_blank">#7278</A>) <LI>When reading non-interactive PDFs in Adobe Reader, the type and state of form fields (such as checkboxes and radio buttons) are now reported. (<A HREF="https://github.com/nvaccess/nvda/issues/13285" target="_blank">#13285</A>) <LI>"Reset configuration to factory defaults" is now accessible in the NVDA menu during secure mode. (<A HREF="https://github.com/nvaccess/nvda/issues/13547" target="_blank">#13547</A>) <LI>Any locked mouse keys will be unlocked when NVDA exits, previously the mouse button would remain locked. (<A HREF="https://github.com/nvaccess/nvda/issues/13410" target="_blank">#13410</A>) <LI>Visual Studio now reports line numbers. (<A HREF="https://github.com/nvaccess/nvda/issues/13604" target="_blank">#13604</A>) <UL> <LI>Note that for line number reporting to work, showing line numbers must be enabled in Visual Studio and NVDA. </UL> <LI>Visual Studio now correctly reports line indentation. (<A HREF="https://github.com/nvaccess/nvda/issues/13574" target="_blank">#13574</A>) <LI>NVDA will once again announce Start menu search result details in recent Windows 10 and 11 releases. (<A HREF="https://github.com/nvaccess/nvda/issues/13544" target="_blank">#13544</A>) <LI>In Windows 10 and 11 Calculator version 10.1908 and

Emails

HREF="mailto:[email protected]"

target="_blank">[email protected]</A>

URLs

https

http://txt2tags.sf.net

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4948	nvda_noUIAccess.exe
4184	nvdaHelperRemoteLoader.exe
2824	Explorer.EXE
332	nvda_slave.exe
4896	nvda.exe
876	nvdaHelperRemoteLoader.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	nvda_noUIAccess.exe

Loads dropped DLL 64 IoCs

pid	Process
4584	nvda_2022.3.2.exe
4584	nvda_2022.3.2.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4184	nvdaHelperRemoteLoader.exe
4948	nvda_noUIAccess.exe
2824	Explorer.EXE
2824	Explorer.EXE
4948	nvda_noUIAccess.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
332	nvda_slave.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NVDA\locale\tr\symbols.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\gd.tbl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\is-chardefs6.cti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\no-no-g2.ctb	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\mn\userGuide.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\ne\userGuide.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\it\cldr.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\ja\cldr.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lfn_dict	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\nl_dict	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\voices\!v\edward2	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\ckb-g1.ctb	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\is.tbl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\api-ms-win-crt-math-l1-1-0.dll	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\brlapi.pyd	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\builtin.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\lib64\2022.3.2\IAccessible2proxy.dll	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\da\cldr.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\sl\gestures.ini	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\so\cldr.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\zle\uk	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\api-ms-win-crt-runtime-l1-1-0.dll	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\latinLetterDef8Dots.uti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\no-no-comp8.ctb	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\chr_dict	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\my\styles.css	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\de\gestures.ini	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\ko-g1-rules.cti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\ro.tbl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\so\symbols.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\as.tbl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\inc\pa	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\gl\LC_MESSAGES\nvda.mo	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\kn\cldr.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\voices\!v\michel	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\nl\keyCommands.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\hu\gestures.ini	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\voices\!v\UniRobot	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\dra\ta	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\am\keyCommands.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\pl\keyCommands.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\sk\characterDescriptions.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\de-g2.ctb	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\gmw\nl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\api-ms-win-crt-process-l1-1-0.dll	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\cs\LC_MESSAGES\wxstd.mo	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\gon.tbl	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\hyph_pl_PL.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\it\keyCommands.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\fonts\FreeMono-FixedBraille.ttf	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\gujarati.cti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\hyph_es_ES.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\sin.cti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\roa\es-419	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\lang\trk\tk	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\voices\!v\Andrea	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\fr\styles.css	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\mn\keyCommands.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\documentation\pa\userGuide.html	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\locale\pa\characterDescriptions.dic	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\louis\tables\marburg_unicode_defs.cti	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\cv_dict	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\synthDrivers\espeak-ng-data\phonindex	nvda_slave.exe
File created	C:\Program Files (x86)\NVDA\wx._msw.pyd	nvda_slave.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Accessibility\Blind Access\On = "0"	nvda_noUIAccess.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Accessibility\Blind Access\On = "1"	nvda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Accessibility\Blind Access\On = "1"	nvda_noUIAccess.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9FE368B-8033-43A5-9E71-17F6F5385832}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A0E5B0C-A5A2-4145-8CC7-2895826CE656}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8A15391-DA74-49B7-9666-82CD66D81A35}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020412-0000-0000-C000-000000000046}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF70B63C-D31A-4E82-A823-B61BCC4DF275}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6A2950B-E547-4832-A0ED-8C8591FFA9E5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3565A5E-1B1C-5EFE-BC3F-52EBF0F41DD1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37D84F60-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{520CCA62-51A5-11D3-9144-00104BA11C5E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{922EADA0-3424-11CF-B670-00AA004CD6D8}\ProxyStubClsid32\ = "{B196B286-BAB4-101A-B69C-00AA00341D07}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C718A08-6CA1-4AE9-A9CC-7CAF009F41B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD1AE5E0-A6AE-11CE-BD37-504200C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2344718B-40D0-4CB0-9A92-78C3C3AE7FB0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31574D6-B682-4CDC-BD56-1827860ABEC6}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9439C693-9C23-4A4C-B269-301F15EE64B5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E01BE7-D840-6DFB-694F-8814C2EC727E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30E038F9-64C9-4A5C-BA4C-F9F7DF30849C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F76A169-F994-40AC-8FC8-0959E8874710}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C179334C-4295-40D3-BEA1-C654D965605A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E75D5EE-BD10-4119-84B9-959626F49AB0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E820910B-1910-404D-AFAF-5D7298B9B28D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BF80980-BF32-101A-8BBB-00AA00300CAB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F88DDD9C-E19F-4FFB-9BF7-6199F8E45940}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A895D5E-DDC8-489C-9000-03D523342AA0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{985C98A3-21F6-4585-9E13-F708CB0DE4F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFCC809F-295D-42E8-9FFC-424B33C487E6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FE2B64C-5012-4B88-BB9D-7CE4F45E3751}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F6E41E5-25B1-49CE-A00A-2DA5A99EE4F5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C939908-0198-4DA2-BD62-ED4938EDB44F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28D-BAB4-101A-B69C-00AA00341D07}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E4ACADC-549F-40BD-AEA2-27D09522D7BC}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66A9CB08-4802-11D2-A561-00A0C92DBFE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76550116-B458-4B21-B1BB-8A48027C1200}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA1C27EE-A334-470A-861B-DBB78351A042}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B55E4D76-2743-4B4E-AF8D-18817545DE74}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95C8147F-90F8-4558-B69E-3CE897533F46}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C32FA17-30A4-42D5-B7DA-FFE8FCFCCE45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7C40885-2506-4EB9-B4AB-0E1E3D3FD5F9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CE81583-1E4C-4632-A621-07A53543148F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A7538EB-4540-4D7A-904E-B2AEEC4AEFAF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BC9FC77-D85A-4220-B7DD-7B22CF22D0ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD45E71-D927-4F15-8B0A-8FEF525337BF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D043CEA-6CDF-43A3-B9D0-D755297C11D2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17D0605C-17CA-4B6A-870C-CA9B7ED6C937}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48F8A5B1-82B4-47A3-8A7A-A097BC5E349D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4F0FBF7-52EF-4E24-90B6-588FD681BBCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECF43B3A-724A-46BB-BAD3-6AFE0BEF0728}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAF1156-8855-47B5-BDC8-4555D13C095F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E34649E-3815-4FF6-83B3-A14D17120E24}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04C419DF-6369-4B13-8D6F-25992CB3FEEB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BF80981-BF32-101A-8BBB-00AA00300CAB}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D5655BE-8659-5E1F-92A4-E67845053B71}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EA5C164-584A-4BA9-B420-86AA52D1C92F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D00FE662-58EE-4068-9EB9-F5BC39972EF4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D72473-CD4A-411D-A73E-6B212CEC6CA8}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{528FFB4C-0620-4C0F-AB7C-F85596896E09}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1320F6A5-998F-5BD9-8EC1-698BEAA80173}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAAACA0F-9B02-4565-B3C5-9B20FC4DA566}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C163D3C-95FB-4B8D-B9A3-878C8085EFC5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84108017-A8E7-5449-B713-DF48503A953E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F3A72B0-4566-487E-9A33-4ED302F6D6CE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{241C033E-E659-43DA-AA4D-4086DBC4758D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4076891-6BF7-447E-BBE8-426ED719D3B5}\NumMethods	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
100	utilman.exe
100	utilman.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4948	nvda_noUIAccess.exe
4896	nvda.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1596	AUDIODG.EXE
Token: 35	4948	nvda_noUIAccess.exe
Token: 35	332	nvda_slave.exe
Token: 35	4896	nvda.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4948	nvda_noUIAccess.exe
332	nvda_slave.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4896	nvda.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
332	nvda_slave.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe
4896	nvda.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe
4948	nvda_noUIAccess.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4948	4584	nvda_2022.3.2.exe	80
PID 4584 wrote to memory of 4948	4584	nvda_2022.3.2.exe	80
PID 4584 wrote to memory of 4948	4584	nvda_2022.3.2.exe	80
PID 4948 wrote to memory of 4184	4948	nvda_noUIAccess.exe	85
PID 4948 wrote to memory of 4184	4948	nvda_noUIAccess.exe	85
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 332	4948	nvda_noUIAccess.exe	92
PID 4948 wrote to memory of 332	4948	nvda_noUIAccess.exe	92
PID 4948 wrote to memory of 332	4948	nvda_noUIAccess.exe	92
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 332 wrote to memory of 2452	332	nvda_slave.exe	94
PID 332 wrote to memory of 2452	332	nvda_slave.exe	94
PID 332 wrote to memory of 2452	332	nvda_slave.exe	94
PID 332 wrote to memory of 1592	332	nvda_slave.exe	96
PID 332 wrote to memory of 1592	332	nvda_slave.exe	96
PID 332 wrote to memory of 956	332	nvda_slave.exe	98
PID 332 wrote to memory of 956	332	nvda_slave.exe	98
PID 332 wrote to memory of 956	332	nvda_slave.exe	98
PID 332 wrote to memory of 4104	332	nvda_slave.exe	99
PID 332 wrote to memory of 4104	332	nvda_slave.exe	99
PID 332 wrote to memory of 4104	332	nvda_slave.exe	99
PID 332 wrote to memory of 2784	332	nvda_slave.exe	100
PID 332 wrote to memory of 2784	332	nvda_slave.exe	100
PID 332 wrote to memory of 1960	332	nvda_slave.exe	101
PID 332 wrote to memory of 1960	332	nvda_slave.exe	101
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 4896	4948	nvda_noUIAccess.exe	104
PID 4948 wrote to memory of 4896	4948	nvda_noUIAccess.exe	104
PID 4948 wrote to memory of 4896	4948	nvda_noUIAccess.exe	104
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4948 wrote to memory of 2824	4948	nvda_noUIAccess.exe	63
PID 4896 wrote to memory of 876	4896	nvda.exe	107
PID 4896 wrote to memory of 876	4896	nvda.exe	107
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63
PID 4896 wrote to memory of 2824	4896	nvda.exe	63

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824
- C:\Users\Admin\AppData\Local\Temp\nvda_2022.3.2.exe
  "C:\Users\Admin\AppData\Local\Temp\nvda_2022.3.2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\nvda_noUIAccess.exe
    C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\nvda_noUIAccess.exe --launcher
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\lib64\2022.3.2\nvdaHelperRemoteLoader.exe
      C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\lib64\2022.3.2\nvdaHelperRemoteLoader.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\nvda_slave.exe
      "C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\nvda_slave.exe" install 1 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe import C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\COMRegistrationFixes\oleaccProxy.reg
        5⤵
        
        PID:2452
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\Sysnative\reg.exe import C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\COMRegistrationFixes\oleaccProxy.reg
        5⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\System32\regsvr32.exe /s C:\Windows\System32\oleaut32.dll
        5⤵
        Modifies registry class
        
        PID:956
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\System32\regsvr32.exe /s C:\Windows\System32\actxprxy.dll
        5⤵
        Modifies registry class
        
        PID:4104
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\Sysnative\regsvr32.exe /s C:\Windows\System32\oleaut32.dll
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:2784
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\Sysnative\regsvr32.exe /s C:\Windows\System32\actxprxy.dll
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:1960
  - - C:\Program Files (x86)\NVDA\nvda.exe
      "C:\Program Files (x86)\NVDA\nvda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Program Files (x86)\NVDA\lib64\2022.3.2\nvdaHelperRemoteLoader.exe
        
        "C:\Program Files (x86)\NVDA\lib64\2022.3.2\nvdaHelperRemoteLoader.exe"
        5⤵
        Executes dropped EXE
        
        PID:876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x42c 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:5004

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\Banner.dll

Filesize
4KB

MD5
a1b9bdee9fc87d11676605bd79037646

SHA1
8d6879f63048eb93b9657d0b78f534869d1fff64

SHA256
39e3108e0a4ccfb9fe4d8caf4fb40baa39bdd797f3a4c1fa886086226e00f465

SHA512
cd65d18eca885807c7c810286cebef75555d13889a4847bb30dc1a08d8948893899cc411728097641a8c07a8dcc59e1c1efa0e860e93dada871d5b7acc61b1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\VCRUNTIME140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_bz2.pyd

Filesize
76KB

MD5
1c52ba084a3723940c0778ab5186893a

SHA1
5150a800f217562490e25dd74d9eead992e10b2d

SHA256
cb008e0a6c65ddb5f20ab96e65285dee874468df203faeafca5e9b4a9f2918dc

SHA512
b397508607a1c7ccef88c6a941398f78ba4f97cf8a32f40764673db34c20eea61364148260d87014348613eb07e959a043b505702437e33927249899bf4522b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_bz2.pyd

Filesize
76KB

MD5
1c52ba084a3723940c0778ab5186893a

SHA1
5150a800f217562490e25dd74d9eead992e10b2d

SHA256
cb008e0a6c65ddb5f20ab96e65285dee874468df203faeafca5e9b4a9f2918dc

SHA512
b397508607a1c7ccef88c6a941398f78ba4f97cf8a32f40764673db34c20eea61364148260d87014348613eb07e959a043b505702437e33927249899bf4522b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_ctypes.pyd

Filesize
102KB

MD5
10861d3fa19d7dc3b41eb6f837340782

SHA1
b258d223b444ab994ec2fec95acaa9f82dc3938c

SHA256
6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1

SHA512
ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_ctypes.pyd

Filesize
102KB

MD5
10861d3fa19d7dc3b41eb6f837340782

SHA1
b258d223b444ab994ec2fec95acaa9f82dc3938c

SHA256
6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1

SHA512
ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_decimal.pyd

Filesize
213KB

MD5
5596249b64c074374eaa1d4084e336c3

SHA1
3748f6ff018c50913379b562e776f739e2a25a1f

SHA256
673bd4cacf3b5f8da67c9c84e03e238961ca98683483de78d0a6410200f7aba6

SHA512
075438583be8c186402bbfdc2ebb931f849d774d808ade6ddeb55e1ea86646824560f1c981e859b55e71192f2d7e349ca967d61dda0f3bd8081b329d2821c3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_decimal.pyd

Filesize
213KB

MD5
5596249b64c074374eaa1d4084e336c3

SHA1
3748f6ff018c50913379b562e776f739e2a25a1f

SHA256
673bd4cacf3b5f8da67c9c84e03e238961ca98683483de78d0a6410200f7aba6

SHA512
075438583be8c186402bbfdc2ebb931f849d774d808ade6ddeb55e1ea86646824560f1c981e859b55e71192f2d7e349ca967d61dda0f3bd8081b329d2821c3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_hashlib.pyd

Filesize
31KB

MD5
4f51ed287bbae386090a9bcc3531b2b8

SHA1
26bd991ae8c86b6535bb618c2d20069f6d98e446

SHA256
5b6da4b43c258b459159c4fbc7ad3521b387c377c058fe77ad74ba000606d72e

SHA512
2eb2ccd8e9c333b5179cf8f9fd8520cb3d025e23a10dca3922e28521cfb9a38f9dd95f5d4f2784643eed08925d9008e5238ff9f93bdd39ee55414131186edff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_hashlib.pyd

Filesize
31KB

MD5
4f51ed287bbae386090a9bcc3531b2b8

SHA1
26bd991ae8c86b6535bb618c2d20069f6d98e446

SHA256
5b6da4b43c258b459159c4fbc7ad3521b387c377c058fe77ad74ba000606d72e

SHA512
2eb2ccd8e9c333b5179cf8f9fd8520cb3d025e23a10dca3922e28521cfb9a38f9dd95f5d4f2784643eed08925d9008e5238ff9f93bdd39ee55414131186edff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_lzma.pyd

Filesize
143KB

MD5
f91a9f1f2efee2f5dbae42ea5d5d7153

SHA1
2575cc77b51cb080fceed9810a9f4b2903ae1384

SHA256
1f82bb06c79b6b392c92cad87ffa736377fa25cd6d10da8d61441d42c0d0101e

SHA512
df1dfb8c8cee3496a60eeeb6f0d3fe48e1de8af5d04667f9a3124b769e8edd886cc46e6e4d4b277ee5d30f9f70f6f8c755097ddd996573a6817a5bb335de919f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\_lzma.pyd

Filesize
143KB

MD5
f91a9f1f2efee2f5dbae42ea5d5d7153

SHA1
2575cc77b51cb080fceed9810a9f4b2903ae1384

SHA256
1f82bb06c79b6b392c92cad87ffa736377fa25cd6d10da8d61441d42c0d0101e

SHA512
df1dfb8c8cee3496a60eeeb6f0d3fe48e1de8af5d04667f9a3124b769e8edd886cc46e6e4d4b277ee5d30f9f70f6f8c755097ddd996573a6817a5bb335de919f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\libcrypto-1_1.dll

Filesize
2.1MB

MD5
aad424a6a0ae6d6e7d4c50a1d96a17fc

SHA1
4336017ae32a48315afe1b10ff14d6159c7923bc

SHA256
3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

SHA512
aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\libcrypto-1_1.dll

Filesize
2.1MB

MD5
aad424a6a0ae6d6e7d4c50a1d96a17fc

SHA1
4336017ae32a48315afe1b10ff14d6159c7923bc

SHA256
3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

SHA512
aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\library.zip

Filesize
9.3MB

MD5
f826bb52ddab0052a8131e1784618420

SHA1
a26b334565d2a08883a88caffbfd0f35e09eb19f

SHA256
85935491d40e30473dfc64bac0c29f3e53888cf4e6119b422e8d093ac76544d8

SHA512
6bb7a4232c15ffa74b19d111e89c33f5d86e71165c7747cfbc3def01dd18f4f7476bd6b3f6f9ac500ae4634c07f71b105022166d03e7cab93ef93435e654b4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\af_ZA\LC_MESSAGES\nvda.mo

Filesize
78KB

MD5
ddf164252c227d8982237930867c5f34

SHA1
ece609d113f2cf731f8055ea95e9602ed09923e5

SHA256
afa14c0ab1c997867d55939987260e870ea65e32513c7bea463e141863390a6f

SHA512
03d493fa01ff544d5a60f0f58db21258a6aa67180369a03fd394bdacfacaf554597c319bbc53ea95131b77e005c618942d7f1c58cab65ad60d1eed763d2acb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\am\LC_MESSAGES\nvda.mo

Filesize
29KB

MD5
5542c172f06ab4057615103658fa8163

SHA1
1ec15c6883a0604fdd001dabb1ee3d99971ad72f

SHA256
323f594bb98c121f7545ca26e7cdeacacdd0865eb8281ee8c3d0e4338bb78fe2

SHA512
fd27d7e1e9f65ac3c307ab53c78c4cfce19bac8e64330a956f980e309052e606c1e0ddef277d4b2921556ab690401906cd7fd81fe564de195bfb8c6d7bd44d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\an\LC_MESSAGES\nvda.mo

Filesize
212KB

MD5
14b3b22b726fc08b3c081d28ff5651f1

SHA1
4c2054d82cd8309cbe2140fcbe578784db21a397

SHA256
f17e2864740c59ad4bb7ef7fb0b957297d1c57a5c154030d0511eaa0e3fbc631

SHA512
102fa2485cbbb655584a59146d4a41bc943dcd16185a232358e7d57ee4b7ac1e62881aaac0096eb1e7f5279b4cd2a7217942e8abf2f526a0612ea35c52400ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ar\LC_MESSAGES\nvda.mo

Filesize
258KB

MD5
bbf9d675bdc5d27ce1b8f8fd00c8d866

SHA1
cfede2cecdcfbd5942b9f98886804a3c96531cd8

SHA256
9c3c0d8e482b9b7620a9efe668fcd6bed047cf8bc99b11a7a6f4dce83dba20bd

SHA512
70a2cfe177b5dd58b17301a4ed2ffcd095bc24c2495392f492eb5b89923b7c1f2bbaa83239b7fce76c2c0ff53ffe340ee4e5508ca39d23cc7d724b5074ccc05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\bg\LC_MESSAGES\nvda.mo

Filesize
287KB

MD5
c84b8f95ff743c64dd1c13e374bf9e06

SHA1
1435e9a3a68657ca3f60f8b3cfa84509b03c0897

SHA256
2fc7b79242d5b56cf95d5c986fbc5744d5d9a5fba1b1f1a28973750fefed233e

SHA512
87d3dedbd2c465b315e22d9f9168a2efb3661e0d4557939630956eb68f47624b4ef4f2b69ef410e4e33b7dc4e48b99c56965a51c329f0b900ebcd881bc747e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\bn\LC_MESSAGES\nvda.mo

Filesize
439B

MD5
2ad4e0cf97bcaf8b1b0fa1c1de058213

SHA1
bbf7dcb7a9fce0f532203b9a6b0fcc5637564b40

SHA256
abbe9bb692caf07f409d9c861cf8f9c3e34c799ddb40532e401e18b3e2f4cf19

SHA512
8fa2f132db35043856e55cacd7ebe91fc873ed3e2d9d4e7f0990ce3ae6336a559e20457ad262f33d2845bb2205f8408b07b56d8528633a8b8bad159a109e9380

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ca\LC_MESSAGES\nvda.mo

Filesize
171KB

MD5
3b9bb0b0b10942234d2b5b8f5e233f3b

SHA1
e0caf9d2e3dde8b188fc3aa1749ee582f578b586

SHA256
72bfed1a7c808fbdc891fdb0e6fecb51e610c74a26c1cf7f035cf9086a2af035

SHA512
85881e209633914e648011b3ad9b0c20a3ef9798ac511ec1edd006c37d2b9b3b4aa93ab0a002d6fa478e248c2b5a56017adbb3a4415b578281d930b687b42dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ckb\LC_MESSAGES\nvda.mo

Filesize
275KB

MD5
1503d3fff460e7124a20a56873e59caf

SHA1
93f4ed20d143430e9921c8ec6f4934e802d7fe0b

SHA256
13e3c5b47d54bd56312f23d3a4b4cee936a2d213f8db96ad2cd0abbb1edecdb9

SHA512
23b880b524588acb61a3b098b0dbdf065ac8ef71ef1605f0f04f3533a6bab43c09229e4e7bd0a4ac7a36185d74d96c77b6386c1207e5d4041db8481afc3b6e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\cs\LC_MESSAGES\nvda.mo

Filesize
215KB

MD5
99aed3add2860e7baae178ccd520eb8f

SHA1
683b0f4ba6fe29e661ea7dfe81755d4b750f0fbd

SHA256
a0c376b63fc2cf1cfbb8eb20565c762e9085996253a8a3375f2404d0344e687f

SHA512
7414ebeee9dc0774dcff152454fef77ead74949051dfa813a76c29c4a7eaba84b1dd0e3a2c599a0d42b52fec9db54ecc37e5cf175bf6270cb3754321098cf69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\da\LC_MESSAGES\nvda.mo

Filesize
210KB

MD5
c33433c9b5c5be37189761b21fbdadbb

SHA1
183cf0ba343661cc5513ae05fd2972b7c59cd3c4

SHA256
772fcd036927f830ada251919a7fa12a7855dce0456667522e6ecbf5190f4355

SHA512
e64fe28cb62434f179a7212ebb4210db39907efa2190b17b06254a513537e8ce09b7c15c8f6abae032bc2e3dd660ee2697ad5f900f60a3b221de9226178938cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\de\LC_MESSAGES\nvda.mo

Filesize
222KB

MD5
4823b7ce75cf889c2e03c4153ed5c8bf

SHA1
89e2c20f403cdf84b3eaac18754fcbcfe13aed10

SHA256
882210625401918d8c75926519dfb2f36bc9228f6eac0229b7cc0729716ada90

SHA512
a76f6d4b85a69c2759524df3308455a5bdc47f172cf8db5f8bac273a1e1cc3cde9578670aae33cdd073a3240880a32bb8753559269fd08dcc99fe414311941e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\de_CH\LC_MESSAGES\nvda.mo

Filesize
199KB

MD5
c129a272cc0d194347f590d9135a0fa4

SHA1
f133bb8bea1d76f285338c85a2500496ad749729

SHA256
85ed87ae7cb2e6a61829451d3c3caffaf208b5b47cdce159c2430dea7e7194b5

SHA512
7ff013adfe10bd0eaff74e0e4b283543140947e5d61aabc1578d1182ec9babb59778e64c773b604943f37ca17486bc39d78002c14a17601b167275b84ccaff5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\el\LC_MESSAGES\nvda.mo

Filesize
304KB

MD5
acbdc7cf4b317a98fc19affa46be6a41

SHA1
f901f12bce6d2e4f07e1080b9f73f596f6584069

SHA256
42c3018cf6cd3088aa8ff942d56546bac0704d583b4eb4fd3e1b8997b53aa703

SHA512
a0b5572d350c8e90384076d3dd0232f8bddb8b613ddf7dc465421163d57ab7ae40021baaa3837f8df762cbaee264b6b5121c3fa9d437b52ac7328d00f401f6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\es\LC_MESSAGES\nvda.mo

Filesize
221KB

MD5
4fc2f816786758f6a4e4b164213db590

SHA1
751a91f631a9bf668cb2b54bb71d3cf8f0fe5a73

SHA256
825da003d8ad1ec07a1ba559f672881e4ca9495b882abb1fe03cbd50310d743d

SHA512
d144413f73c973981bc3e1621cb80c7bbf5927dfb3d9fab4c1677a182181ab80fdbd8faa6d718dff7223769b49f9439cba4da6d8905e4d274ffc4a858ae4c2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\es_CO\LC_MESSAGES\nvda.mo

Filesize
193KB

MD5
0dc4622b5cab2480688225cf325366cc

SHA1
f4f8cd03340eb8d32ff36056df05f6ef151f5d7e

SHA256
a299beef7a7c93fdc99eaca8d4dc78c3c87c68792f4a786e0d64a9bc8384f606

SHA512
35781dd9ebfaf5d1b53b996e3bedebb04b1235f05ff70ef915e32f7f304c70836ce810f9601bfab90cc55fd3e952522083b88151710bacb3a2d0548d10d275ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\fa\LC_MESSAGES\nvda.mo

Filesize
259KB

MD5
0c406813f0b361499e2e4db604f988c4

SHA1
912492e236d801ff76e73cee804af3611581f41a

SHA256
34b28a274e3c8cb0be8f1f9e61d416e7604ec25f9f3fff3d448d8e360ea22914

SHA512
30165ebf77a540d34a29042e62474cd74f460a570c76243b878b03c426a856224f6c6dd1934604592701706e996089a17221494ef0d28703cae018c7d9c08d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\fi\LC_MESSAGES\nvda.mo

Filesize
217KB

MD5
fafdb7f14f7d84d811b0c332793036a5

SHA1
05de2ad299c92222c3db015db2f5a40d1a38633e

SHA256
2772fda5e1b3befefaf6b4a36105e0ba27de3e4c9e88e8aaee93a4836269ce71

SHA512
8f08d8ff0fdf8e7d2c6ac04bf12544c8898fd612921c097f66562377bda32d51f0c690b1dceda5c5767a0c541480b3b751bbfbe9adae02d24e8af672725caf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\fr\LC_MESSAGES\nvda.mo

Filesize
221KB

MD5
e5a3dc3a5c1b42f29c9019104f7d7474

SHA1
a3a47cbe97bcb7d81f17b7743f3fae9592374be9

SHA256
b7472930e07debb928b20e113f6b1033ce4ae846c62c89ba46ec3d4a7aeb7cc1

SHA512
1563e5a54546b800b4eb844d098073d58aab76e75a00b4ea1a2dd9c7b4fd4404438877048ea59068659fc95cf2896439cf2e7caf0ba6239421ee8b933b7d6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ga\LC_MESSAGES\nvda.mo

Filesize
216KB

MD5
cf2a53752ac199e28d7a1dc04d49cd12

SHA1
edc01e37fe765408a429b12d657ce1b85df1a457

SHA256
259df0bc8ba2c4739b5c3d14f9efbc29e86663a75c5a9ebc765c3159c445c648

SHA512
4a5a39fddb70e94744aee65ef9039b02476e510585ef3fbc06226b79f44538bd55b493eda33ed60af0cafeb739f5fbc212c636a6479c1e0997b386b43f7e5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\gl\LC_MESSAGES\nvda.mo

Filesize
218KB

MD5
df49af297e4eef7be78fc8e70362a862

SHA1
14fb79acfcd2425ab597867380e2f879f108ef77

SHA256
796619cb9f214a7b91379dda7260806b8fd68666bcdbe53afe175d47bc8d3f64

SHA512
c0cd3b1c3ef94b3e4b049858a6eb8153ec7d415016def6665829051c2d711745cc92523a63a44dbec80ea8165e1618a0eacfa0f2db767d1f5485f4474856cd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\he\LC_MESSAGES\nvda.mo

Filesize
224KB

MD5
fa879d85c671c6458a6538332f8ebca4

SHA1
e3066ed4226cba2226e064e6209be722362588d5

SHA256
6d7452982baaff3a5618619aa27dcad89609dd3941e29f03ecec7285b7bbd40e

SHA512
44762bb8f49a11f31008c997ffead7bc397053442486ddbe1a461c609bf8e8ee7aabdf2b969f99905763404c0923251e4dc5818d7431c3537b944aa0b54a84aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\hi\LC_MESSAGES\nvda.mo

Filesize
273KB

MD5
a19f5e4a94ae070211f2c8b5560e4466

SHA1
0331e055b59b1621c99efb3984df63a1ba76bcad

SHA256
8b53ea7c38603345f562fb16bd97aa55157f8460a9114fbfab07b4773c15a77d

SHA512
fd4ef1994c33076b0fcd85537aeb8d9ae0299cc668ddd1f2a606b389fc46590fa6f745e925dca29de9f845898d770a4ed273f6182711a6dda8b43953761eafa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\hr\LC_MESSAGES\nvda.mo

Filesize
220KB

MD5
04d9d47b94acf5a4d419f891cb1ce8c5

SHA1
3224d367a237cfd2b1e64e6a60f31b8ed43874f3

SHA256
f139f346d8de174d102ccfe2c23a9a39abbc6fad5d78aa1ca875354db02e7588

SHA512
6c0bb8f140bec6142032bd91875883819b3571cca7abe7848516333c3d57d5d91dc6a3f44dadbfb732ea7165cb4afeb5e8d1a3887afffc320d3a5534a03b55d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\hu\LC_MESSAGES\nvda.mo

Filesize
216KB

MD5
3eddb4879cae00ca10e4b3f8c83b040a

SHA1
c37de9642670e0164a5a08198976a6880d6c08b3

SHA256
4c5a199f8daf3a5ab90d384ddb930bdd662d3e3aa579bf957bb58f48418e2de0

SHA512
44267ee2e34367a5b57c5aa93ee35dac73269872b21d4bd1f526317038bb0ed1e210888f74666b7186627aa5207db8578d7d004924dc886b59741e500471bd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\id\LC_MESSAGES\nvda.mo

Filesize
39KB

MD5
43e2c55701c1b0e62149f687c3023133

SHA1
aee279e5fc6a5728b5df202ac9559878b2a412af

SHA256
67de84c0257a72154a48f9a376f99bbdb31d8e4e34dc7b6c23decb4718b4d74e

SHA512
5be58f082018a1fb983494b115b77976b8964940d60db1d309ce3c0a804e344a0fb3e7388954d18185cfb64e8c7fff0952775d097c4990c61f696dac7f88252c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\is\LC_MESSAGES\nvda.mo

Filesize
67KB

MD5
77dd36fa255c0fac6c2a68c57b525be4

SHA1
b56a935922d91b61bb90a84823cf17e5115ad83f

SHA256
eee325db8a396cd3c59111037273f3ef1b4d50f295b3302e5c4fccdf50b57fb8

SHA512
4f90cee9f2705a1a4ab920ad612bd3ac5796eb36e748861630b15c41a0a849cfccb03b3e87d1674d6562d1121e3b3fc090e396af953632c9e00ca95fefe09a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\it\LC_MESSAGES\nvda.mo

Filesize
220KB

MD5
dd537ea0013016d1e23dc03e5df38595

SHA1
f82bfe9d96978d33e6e476ebc9ada50058a6edd5

SHA256
27537a6190a17acf4e8b5da68bf3f91b4548e94d68c84fe9a3d1f88a784d8444

SHA512
4817b4f09cabffca6ea6f601a6170662bc0e9f0264f2a911244ba1649ed7b8ec5a6e5a1d150bac0f34bb562a3756365ae2ac3ab652aff134a81aae5c3a586d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ja\LC_MESSAGES\nvda.mo

Filesize
228KB

MD5
cc8601cbad18003253c9a7662d34420c

SHA1
73dbbe41ea50508f8af5030626f192797b49e2e0

SHA256
2c45904935f3cbc897afae9e523950334ac860bd0ab6e5c93bc7f37da4ef8478

SHA512
9d199ca580dc6194d09bdae32c3fcec3f573c43624f1f133cacca8a96f803062e14daf8e85d026de30f11eb8e43c93e77009eb6503f4e28449426d06a24ad087

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ka\LC_MESSAGES\nvda.mo

Filesize
352KB

MD5
da09a943988150cec40b4f48186e67ef

SHA1
1641b17705457595d1c6aa7d63b4948aae7d6a01

SHA256
83affedfe056bdb5e3e231e4ebac9de17924121093a23d1237f2567ed54c9b82

SHA512
64e053897c7d9d03e063c37c67cb920d2b295fe9153ff8f060135a7bbcd4fb21e556270d3a9c82eb343ede2b56b236fdb5a9448406f7147488b52cf56f250c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\kmr\LC_MESSAGES\nvda.mo

Filesize
109KB

MD5
43daceeb0ac4005381d38b530e728b0e

SHA1
6bc057159e3d8b1105f514586146401f2df9a846

SHA256
dfab3ecd195c3952fb5756e1f0ec53741be3710ed033cd1d626b98e10223312b

SHA512
f6d95673372a6dcce87845c48436e2af3697eb385506bb0ad9701510290c9e2ec0a316bf9f24b9305689b2e527d9439f7521d40061349dc1b436b8255dea68db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\kn\LC_MESSAGES\nvda.mo

Filesize
181KB

MD5
b44fe700575a296b0e82b997c360d1bc

SHA1
2f24c300b60d9da64db3b74e67f78a5833bee774

SHA256
7ef65cfff971a0d0cd1d92e50e5f33103349f8154ff3dbd1413f5cc3af0c3da6

SHA512
605fd61021bdd1c21a07ccd062b9e13a88324868d3b140880cfaeb9ee353047b139cd0dc6ed341898d426a0382675fefde745a3de2e820c4e72dc9c9229faa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ko\LC_MESSAGES\nvda.mo

Filesize
218KB

MD5
74a76bb0f493d56c69eafbc508d2b985

SHA1
14a19a4d7738189dc391ef04e54076a1d3eb8e79

SHA256
12c42b6c4cd9d66cfd17a0acb56eb7f74f5f5a25789448751b3a11fa66eed7ed

SHA512
d99a9059b883e549e115901707e225352faf4061e6394b476e02e8f4f59bb5a5391e96a13fcd37d561965feb1e5c51d65ca371b4019248f6c5feead7bb160fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ky\LC_MESSAGES\nvda.mo

Filesize
221KB

MD5
88086d57a01f0b0507631f636e7f6490

SHA1
2776abcbb905a33fafce840180273223baa3de3d

SHA256
e57316cd2d683ccc43c09716235e7967feec999c2d0c66c58b0f53491d8f2d08

SHA512
5ee4fc971d22e113d3bba009e5882248778b6ac30b232c3c55192812bd8ec4aa8938132993e478ba711f45975804e32021d4de0ca62a8b9b7caf6918c279ddbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\lt\LC_MESSAGES\nvda.mo

Filesize
187KB

MD5
ccc17d95398c340d8c2a0f8dd82c5b4b

SHA1
682eef71699211e694b9aab1179cf754e9f45adb

SHA256
9649cf9e7940fbe48490991185a7413be7cc472dbbfce866556af778c35c9ee0

SHA512
9016c7dc3dbab11927c234286dbe93cbda36b6bd9003324579172cb23808de307615fec0c8bf6f5dc43f2ed646a2e01f214fb65c51b3386e97858fda62e6e583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\mk\LC_MESSAGES\nvda.mo

Filesize
293KB

MD5
8f3b6488c6bc4e5ef015eaf451fe73f4

SHA1
689df42f384e01d20fbbc13f117148702b5a8bb5

SHA256
026f8e26add90aa7f53769f82ecc10e032c9d4379f42ef7fc70c2e912150b5c7

SHA512
8a44720b3f7c718b036805a968e2a3c61580d779e71c5dec6281bd94eb86d954a496322498b6d137c6bcc50527b31b4078f3ed4f60b6b2f913eff745df5ac0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\mn\LC_MESSAGES\nvda.mo

Filesize
231KB

MD5
1938e59802325803a4f9b6702cf763af

SHA1
63bf46e7bb224b7a6f830e08603a46a7a25c430c

SHA256
3fa31054f8efa0e7b5cd1d6f093d16cb63eb9e7c6bd1251358a5ff13b3bb27d5

SHA512
c82cacdaf1bea348e034d3ae045a6ea9edb5f9f57bbc7834446b11561169fe955ce04d18ce10ed32a1c2b4632a8587f8cc51a012e6aaae1e6ee0302abfbc1cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\my\LC_MESSAGES\nvda.mo

Filesize
282KB

MD5
d79f71073e31b842b4bdfc4b0152d6bf

SHA1
781006d6920b391abdae0c28beb16e4b2caa81d9

SHA256
dfbfbbc96c54d42e7bebbd7f91981e8263264bc58b262633ec0cfa3838941b42

SHA512
423aae49933d5fd3e5d58a2c3eda8fa29c9c79d8643c757bb8a441ccf4e33e4378f2b3be5a28d7501ae63b74f0541d43a330545f138f7c864fd57717a58ed2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\nb_NO\LC_MESSAGES\nvda.mo

Filesize
137KB

MD5
639518500e9d3297388e08c112c35a6b

SHA1
528dc6530a17e57022d68eacc0af59bee495f44f

SHA256
37810d41105fea52c4060d45269c6009e3b0b5974e50d4238eb60ba7b9b9fe37

SHA512
431140b758a149b9ab16b10027ff74fba59f735e7b384ab07b0c369f4f3e6364f7913e34318f5d3bb7ac74053c1a1a6f15429f1cf2795b2849246ca63bba8846

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\ne\LC_MESSAGES\nvda.mo

Filesize
187KB

MD5
04873aabd3c26d7d5ae44621b2b9f8e5

SHA1
c5235a236c9338a135378b89a03fcebd5ff7cb76

SHA256
3bacb8b7dfa41415d7bb039e3b90990ea8e58b0709c44e06476caa7399b9f410

SHA512
c0336ced61b755471bfb796aeb9e697ae6bd5b0cfcb67bfc4a8c071418488926009ac51b29e182d6e6df0f5e0844704342cfa878a7776b761b09e96dae1b1e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\nl\LC_MESSAGES\nvda.mo

Filesize
213KB

MD5
94d87582b2dfb659a61849dd85f8e907

SHA1
b2a8e44f06ac8d74b76edc6a1b3b4dbd8dbe14b5

SHA256
09f72cc1059300ee1d9afaae8a807a9ad4de8856c410cb0849451d10c5e34489

SHA512
7826e0a5d46d41b4a359ca88a2f6c7310c6032ef3e75a34f60a2083899dd46db60cdef60c190bea855c656bc54a70f2e3713159e7580751ac95858d62b3d3552

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\nn_NO\LC_MESSAGES\nvda.mo

Filesize
81KB

MD5
0a9cdaf1193a0175e56d4f0df0153f1b

SHA1
38911417925a72634f086fc8964a7d608b54fd3b

SHA256
080eecd1e9662ec2d41850adc7928c40aef2def77b9652687a687302e1431a51

SHA512
1e6061fb033406c2bf27ba96976beb19c2da4ddf7ecc4358663c608a476b44baf10dd5140033940979a07dc0d6e0b19b24098fa1769e9b624885be645d06d1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\locale\pa\LC_MESSAGES\nvda.mo

Filesize
55KB

MD5
e2830b5674997115757ab5676203889b

SHA1
3f6b0d0c42adc11b9866dd5d75685e001e70266c

SHA256
3d21ca9e53bc0a6f6597ba480d0ef20153cea27af186f8d6317afbfa6202c7d5

SHA512
429c7ac8b86766b0942d7f9a063904f6e5ef30cb49724e4c096a9726cc6af84f71cd4782541710ad8c95692d3ea91245c2d00db35181cb814464aca800f73ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\nvda_noUIAccess.exe

Filesize
76KB

MD5
459308e9afbe93db96aaf9278c04ade3

SHA1
29c549fbfbce7d315dd40f2836e4bd31663dac26

SHA256
2c40165a5ec532b9fbfd0c8929f9e610bd38a644c2ca834a8306cff3c406a7f8

SHA512
161bedadad388003189a4aa190ef970a8e6d7f8c67ade9e74e4a9e62709f6e2909b729826c4bfadfea82a18c5445480e5f923ef48c12fd40dbd6bec716fe9265

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\python37.dll

Filesize
3.3MB

MD5
465089eaced8159ec533e4a37033e227

SHA1
074596adae6f53f33b8297f02e21f6a6f7ac6ff1

SHA256
2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40

SHA512
55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\python37.dll

Filesize
3.3MB

MD5
465089eaced8159ec533e4a37033e227

SHA1
074596adae6f53f33b8297f02e21f6a6f7ac6ff1

SHA256
2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40

SHA512
55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\winsound.pyd

Filesize
24KB

MD5
e5892ceba7b672738704890877d13cf1

SHA1
c708ecdae79d2d086171901bbba68b4d9a22ec91

SHA256
729956f583aec78adc3a0b2a0dbd0635c8b96812740f66144356bd7046fe8c7e

SHA512
c015c4327d5b4c14db26ff246ba0ef2eda99f303eef67f2b459137d424d143990f98726ffc610d214a83da8e0ede794f960ee90d05bd18001b67b0a43a2fc75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF890.tmp\app\winsound.pyd

Filesize
24KB

MD5
e5892ceba7b672738704890877d13cf1

SHA1
c708ecdae79d2d086171901bbba68b4d9a22ec91

SHA256
729956f583aec78adc3a0b2a0dbd0635c8b96812740f66144356bd7046fe8c7e

SHA512
c015c4327d5b4c14db26ff246ba0ef2eda99f303eef67f2b459137d424d143990f98726ffc610d214a83da8e0ede794f960ee90d05bd18001b67b0a43a2fc75b

Download Submit
memory/4896-208-0x0000000073440000-0x0000000073A15000-memory.dmp

Filesize
5.8MB

Download
memory/4896-209-0x000000006EB00000-0x000000006EB10000-memory.dmp

Filesize
64KB

Download
memory/4948-198-0x000000006EBB0000-0x000000006EBC0000-memory.dmp

Filesize
64KB

Download
memory/4948-197-0x0000000073100000-0x00000000736D5000-memory.dmp

Filesize
5.8MB

Download