agenttesla | f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1

Analysis

max time kernel
428s
max time network
482s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P0lko.exe
Size

58.1MB
MD5

a36ccf5fb6bc5c1342371a21b33a6f0c
SHA1

2daefc8e9d7a3f7d461a9cc7a2a69e9c87667c83
SHA256

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1
SHA512

80f3c9e56cd1f9ba596c93a0742e5f56e7a44fdc678d9c3a19f0e90db9a81ed1ce09e159f61c57c566e47c428986f96bc29b7e1f71941c86961e3f43ab4dcc78
SSDEEP

1572864:TLOrJXzVj0mz3uu2etPQiWmoh8rb28CQG2Y:TLqJXBj0kuu3IDmnrb5Y

Malware Config

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Extracted

Family

lumma

https://murderryewowp.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\NGOJToq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6384-2160-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/6384-2161-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2388-2277-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 27 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4328-2226-0x00007FF678970000-0x00007FF678CC1000-memory.dmp	xmrig
behavioral1/memory/4004-2237-0x00007FF626F20000-0x00007FF627271000-memory.dmp	xmrig
behavioral1/memory/3836-2235-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp	xmrig
behavioral1/memory/6632-2244-0x00007FF7C6E20000-0x00007FF7C7171000-memory.dmp	xmrig
behavioral1/memory/5564-2253-0x00007FF7E7730000-0x00007FF7E7A81000-memory.dmp	xmrig
behavioral1/memory/5588-2252-0x00007FF7E2E50000-0x00007FF7E31A1000-memory.dmp	xmrig
behavioral1/memory/6436-2251-0x00007FF7EA3E0000-0x00007FF7EA731000-memory.dmp	xmrig
behavioral1/memory/6624-2255-0x00007FF730E60000-0x00007FF7311B1000-memory.dmp	xmrig
behavioral1/memory/6944-2257-0x00007FF7F90C0000-0x00007FF7F9411000-memory.dmp	xmrig
behavioral1/memory/6432-2258-0x00007FF7C0510000-0x00007FF7C0861000-memory.dmp	xmrig
behavioral1/memory/3496-2262-0x00007FF65C210000-0x00007FF65C561000-memory.dmp	xmrig
behavioral1/memory/4516-2261-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	xmrig
behavioral1/memory/6252-2260-0x00007FF6C1510000-0x00007FF6C1861000-memory.dmp	xmrig
behavioral1/memory/7000-2259-0x00007FF6724B0000-0x00007FF672801000-memory.dmp	xmrig
behavioral1/memory/6704-2256-0x00007FF772250000-0x00007FF7725A1000-memory.dmp	xmrig
behavioral1/memory/5240-2254-0x00007FF641A50000-0x00007FF641DA1000-memory.dmp	xmrig
behavioral1/memory/6708-2246-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp	xmrig
behavioral1/memory/2320-2276-0x00007FF6CC7E0000-0x00007FF6CCB31000-memory.dmp	xmrig
behavioral1/memory/6640-2282-0x00007FF777F20000-0x00007FF778271000-memory.dmp	xmrig
behavioral1/memory/3836-2283-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp	xmrig
behavioral1/memory/6500-2289-0x00007FF79ACA0000-0x00007FF79AFF1000-memory.dmp	xmrig
behavioral1/memory/3468-2291-0x00007FF6F9CA0000-0x00007FF6F9FF1000-memory.dmp	xmrig
behavioral1/memory/6996-2294-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	xmrig
behavioral1/memory/6640-2340-0x00007FF777F20000-0x00007FF778271000-memory.dmp	xmrig
behavioral1/memory/4516-2341-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	xmrig
behavioral1/memory/6708-2344-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp	xmrig
behavioral1/memory/4328-2345-0x00007FF678970000-0x00007FF678CC1000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5584 powershell.exe
5676 powershell.exe
5680 powershell.exe
7064 powershell.exe
1052 powershell.exe
Downloads MZ/PE file

pid	process
5584	powershell.exe
5676	powershell.exe
5680	powershell.exe
7064	powershell.exe
1052	powershell.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\7CEFF1EDC50F69E9648CA130B588ED5AECB757A8\Blob = 0f0000000100000014000000892578ff879eb9b2fb0d74d1235a0240ce0f3b450200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000370065003700650039003400620061002d0066003600350033002d0034006200660062002d0061003200370066002d0038003400300039006300610038006200660030006200660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000007ceff1edc50f69e9648ca130b588ed5aecb757a8200000000100000000030000308202fc308201e4a0030201020210506d49202e2368a849d7890b46a70872300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931333135313535305a180f32313234303832303135313535305a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d094bfe2aaa191cb1422d78a9311a07bbad9addc4dd44d6e2d09f1bf5d1133b9a7a23ff82e91b7e735533ff725a90ba586f216a55e3f8df6848bb9531bd097596e47f4364bee6787220f244b666938d26dbb197bcb6469bf0bb9d912a38643f8c088cd4894d43d82cc6b74f44e5b273d265f4b551350dfa619ab527d648a2660be18d907f0447af23bc40e0a6b1af4e1d524926bf6fbda539f7778b7aa3360a0636159b2e6d8323621064bedb34bd4ae2bff28b3159c4c77e7b2157d25b54a0e4045a11d2037bd4e5c74e7900dae3e14853f021c5bfdfdfdd07ae6a9b200e5fbe55355b443f49e1e3d3765801dacf8cf91305736c48ea5e9cd380b235de2f9550203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404f445a4b445247560030090603551d1304023000300d06092a864886f70d01010505000382010100b48c547914e758a34b226aad9d78aff20c9fe3050681c7e672dd29c967eb6479ed6242c1f5824d7282a604d369afb43ade03858f606f372702d6541fe13186bb0b2badef6e8b9562c891bc801fca2cb24fbca4996dbeae903064a0675c5e59ac7ae0670969464e271c8f7a8b6e111023f985109f171d896be75c618bacc32face061b137a47e9368ee4a4473f90a1494a3b4e15b9abafe49b7648b8a569c77947817603c666b64b8b1ca388d4ed14049849f3a61f21451bd46b4011ca9946e4a3fb8bca708fe9a162355795f7fa8d525220ff0cdb582ef81f57470a74c9d4f5515adb5fe7b3089c9267083462258f0cb04de3a6a54595a7666fa0e280eb5ded7	msedge.exe

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5480 attrib.exe

pid	process
5480	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ajC91.exeBootstraper.exePurchaseOrder.exeavg.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ajC91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstraper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	PurchaseOrder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	avg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 54 IoCs

Processes:

anti.exebutdes.exeflydes.exei.exeflydes.tmpbutdes.tmpgx.exebundle.exerckdck.exeavg.exeis-9R0JD.tmptelamon.exestopwatch.exetelamon.tmpsetup.exesetup.exesetup.exett-installer-helper.exeg_.exet.exeajC91.exeg.exee.exett-installer-helper.exeBootstraper.exesoles.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execobstrk.exejaf.exefile.exePurchaseOrder.exeNGOJToq.exeEBIbtQQ.exezfUPXrc.exeoJcIjwB.exezeCucRQ.exeDwnbyhk.exerUJzpVw.exeRHvvIGy.exejyEMVHm.exeWxYRAXS.exeyjpqlqr.exeCtzckNZ.exesFpSHAc.exeZsimKlS.exeCqKeVSO.exeZryoREw.exeCxIzGaM.exehxmQWOK.exeXtrBlDd.exeBvtPRgE.exeEqODKPR.exe

pid	process
868	anti.exe
32	butdes.exe
3164	flydes.exe
4876	i.exe
3008	flydes.tmp
2376	butdes.tmp
4868	gx.exe
1676	bundle.exe
4136	rckdck.exe
4828	avg.exe
2036	is-9R0JD.tmp
804	telamon.exe
1084	stopwatch.exe
5172	telamon.tmp
5224	setup.exe
5348	setup.exe
5548	setup.exe
6072	tt-installer-helper.exe
6092	g_.exe
5304	t.exe
5328	ajC91.exe
5532	g.exe
5836	e.exe
5900	tt-installer-helper.exe
2412	Bootstraper.exe
6904	soles.exe
6748	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
4272	assistant_installer.exe
3140	assistant_installer.exe
2320	cobstrk.exe
2388	jaf.exe
6836	file.exe
6312	PurchaseOrder.exe
6500	NGOJToq.exe
6640	EBIbtQQ.exe
3468	zfUPXrc.exe
4328	oJcIjwB.exe
3836	zeCucRQ.exe
4004	Dwnbyhk.exe
4516	rUJzpVw.exe
6996	RHvvIGy.exe
6632	jyEMVHm.exe
6708	WxYRAXS.exe
3496	yjpqlqr.exe
6436	CtzckNZ.exe
5588	sFpSHAc.exe
5564	ZsimKlS.exe
5240	CqKeVSO.exe
6624	ZryoREw.exe
6704	CxIzGaM.exe
6944	hxmQWOK.exe
6432	XtrBlDd.exe
7000	BvtPRgE.exe
6252	EqODKPR.exe

Loads dropped DLL 26 IoCs

Processes:

avg.exesetup.exetelamon.tmpsetup.exesetup.exet.exeg_.exeg.exeajC91.exee.exe

pid	process
4828	avg.exe
4828	avg.exe
5224	setup.exe
5172	telamon.tmp
5348	setup.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
5548	setup.exe
4828	avg.exe
5304	t.exe
5304	t.exe
6092	g_.exe
6092	g_.exe
5532	g.exe
5532	g.exe
5328	ajC91.exe
5328	ajC91.exe
5836	e.exe
5836	e.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2320-2153-0x00007FF6CC7E0000-0x00007FF6CCB31000-memory.dmp	upx
behavioral1/memory/6500-2197-0x00007FF79ACA0000-0x00007FF79AFF1000-memory.dmp	upx
behavioral1/memory/4328-2226-0x00007FF678970000-0x00007FF678CC1000-memory.dmp	upx
behavioral1/memory/4004-2237-0x00007FF626F20000-0x00007FF627271000-memory.dmp	upx
behavioral1/memory/3836-2235-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp	upx
behavioral1/memory/3468-2223-0x00007FF6F9CA0000-0x00007FF6F9FF1000-memory.dmp	upx
behavioral1/memory/6640-2219-0x00007FF777F20000-0x00007FF778271000-memory.dmp	upx
C:\Windows\System\NGOJToq.exe	upx
behavioral1/memory/6632-2244-0x00007FF7C6E20000-0x00007FF7C7171000-memory.dmp	upx
behavioral1/memory/6996-2243-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	upx
behavioral1/memory/5564-2253-0x00007FF7E7730000-0x00007FF7E7A81000-memory.dmp	upx
behavioral1/memory/5588-2252-0x00007FF7E2E50000-0x00007FF7E31A1000-memory.dmp	upx
behavioral1/memory/6436-2251-0x00007FF7EA3E0000-0x00007FF7EA731000-memory.dmp	upx
behavioral1/memory/6624-2255-0x00007FF730E60000-0x00007FF7311B1000-memory.dmp	upx
behavioral1/memory/6944-2257-0x00007FF7F90C0000-0x00007FF7F9411000-memory.dmp	upx
behavioral1/memory/6432-2258-0x00007FF7C0510000-0x00007FF7C0861000-memory.dmp	upx
behavioral1/memory/3496-2262-0x00007FF65C210000-0x00007FF65C561000-memory.dmp	upx
behavioral1/memory/4516-2261-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	upx
behavioral1/memory/6252-2260-0x00007FF6C1510000-0x00007FF6C1861000-memory.dmp	upx
behavioral1/memory/7000-2259-0x00007FF6724B0000-0x00007FF672801000-memory.dmp	upx
behavioral1/memory/6704-2256-0x00007FF772250000-0x00007FF7725A1000-memory.dmp	upx
behavioral1/memory/5240-2254-0x00007FF641A50000-0x00007FF641DA1000-memory.dmp	upx
behavioral1/memory/6708-2246-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp	upx
behavioral1/memory/2320-2276-0x00007FF6CC7E0000-0x00007FF6CCB31000-memory.dmp	upx
behavioral1/memory/6640-2282-0x00007FF777F20000-0x00007FF778271000-memory.dmp	upx
behavioral1/memory/3836-2283-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp	upx
behavioral1/memory/6500-2289-0x00007FF79ACA0000-0x00007FF79AFF1000-memory.dmp	upx
behavioral1/memory/3468-2291-0x00007FF6F9CA0000-0x00007FF6F9FF1000-memory.dmp	upx
behavioral1/memory/6996-2294-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	upx
behavioral1/memory/6640-2340-0x00007FF777F20000-0x00007FF778271000-memory.dmp	upx
behavioral1/memory/4516-2341-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	upx
behavioral1/memory/6708-2344-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp	upx
behavioral1/memory/4328-2345-0x00007FF678970000-0x00007FF678CC1000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

ajC91.exeavg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\AVAST Software\Avast	ajC91.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	ajC91.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jaf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jaf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jaf.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exesetup.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

206 raw.githubusercontent.com
207 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

264 api.ipify.org
265 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ajC91.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ajC91.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

soles.exe

pid process

6904 soles.exe
6904 soles.exe

flow	ioc
206	raw.githubusercontent.com
207	raw.githubusercontent.com

flow	ioc
264	api.ipify.org
265	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ajC91.exe

pid	process
6904	soles.exe
6904	soles.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exePurchaseOrder.exe

description	pid	process	target process
PID 6836 set thread context of 6384	6836	file.exe	MSBuild.exe
PID 6312 set thread context of 288	6312	PurchaseOrder.exe	RegSvcs.exe

Drops file in Windows directory 21 IoCs

Processes:

cobstrk.exe

description	ioc	process
File created	C:\Windows\System\CtzckNZ.exe	cobstrk.exe
File created	C:\Windows\System\sFpSHAc.exe	cobstrk.exe
File created	C:\Windows\System\ZsimKlS.exe	cobstrk.exe
File created	C:\Windows\System\CxIzGaM.exe	cobstrk.exe
File created	C:\Windows\System\EqODKPR.exe	cobstrk.exe
File created	C:\Windows\System\RHvvIGy.exe	cobstrk.exe
File created	C:\Windows\System\yjpqlqr.exe	cobstrk.exe
File created	C:\Windows\System\ZryoREw.exe	cobstrk.exe
File created	C:\Windows\System\EBIbtQQ.exe	cobstrk.exe
File created	C:\Windows\System\zfUPXrc.exe	cobstrk.exe
File created	C:\Windows\System\oJcIjwB.exe	cobstrk.exe
File created	C:\Windows\System\Dwnbyhk.exe	cobstrk.exe
File created	C:\Windows\System\rUJzpVw.exe	cobstrk.exe
File created	C:\Windows\System\zeCucRQ.exe	cobstrk.exe
File created	C:\Windows\System\WxYRAXS.exe	cobstrk.exe
File created	C:\Windows\System\XtrBlDd.exe	cobstrk.exe
File created	C:\Windows\System\NGOJToq.exe	cobstrk.exe
File created	C:\Windows\System\jyEMVHm.exe	cobstrk.exe
File created	C:\Windows\System\CqKeVSO.exe	cobstrk.exe
File created	C:\Windows\System\hxmQWOK.exe	cobstrk.exe
File created	C:\Windows\System\BvtPRgE.exe	cobstrk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exesetup.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execipher.exetaskkill.exetaskkill.exeNOTEPAD.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeanti.exestopwatch.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exejaf.exebutdes.exetaskkill.exetaskkill.exetaskkill.exepowershell.exeassistant_installer.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exeRegSvcs.exepowershell.exetaskkill.exetaskkill.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stopwatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ajC91.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajC91.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajC91.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5164 timeout.exe
3596 timeout.exe

pid	process
5164	timeout.exe
3596	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1568	taskkill.exe
6316	taskkill.exe
912	taskkill.exe
5512	taskkill.exe
6916	taskkill.exe
6880	taskkill.exe
5592	taskkill.exe
5472	taskkill.exe
3096	taskkill.exe
4852	taskkill.exe
1676	taskkill.exe
2004	taskkill.exe
6756	taskkill.exe
1376	taskkill.exe
6480	taskkill.exe
5820	taskkill.exe
2248	taskkill.exe
3592	taskkill.exe
6428	taskkill.exe
6260	taskkill.exe
6604	taskkill.exe
5828	taskkill.exe
3312	taskkill.exe
2796	taskkill.exe
6244	taskkill.exe
6936	taskkill.exe
3792	taskkill.exe
3328	taskkill.exe
4448	taskkill.exe
3328	taskkill.exe
6516	taskkill.exe
6256	taskkill.exe
5440	taskkill.exe
5388	taskkill.exe
5732	taskkill.exe
412	taskkill.exe
5596	taskkill.exe
6308	taskkill.exe
6228	taskkill.exe
4184	taskkill.exe
6056	taskkill.exe
6860	taskkill.exe
6304	taskkill.exe
6860	taskkill.exe
6964	taskkill.exe
6308	taskkill.exe
6260	taskkill.exe
1728	taskkill.exe
5380	taskkill.exe
6380	taskkill.exe
6548	taskkill.exe
6700	taskkill.exe
5900	taskkill.exe
3736	taskkill.exe
4000	taskkill.exe
6500	taskkill.exe
3160	taskkill.exe
5564	taskkill.exe
6628	taskkill.exe
4916	taskkill.exe
808	taskkill.exe
6448	taskkill.exe
3224	taskkill.exe
316	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

notepad.exeNOTEPAD.EXE

pid process

6596 notepad.exe
7020 NOTEPAD.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5336 schtasks.exe

pid	process
6596	notepad.exe
7020	NOTEPAD.EXE

pid	process
5336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeavg.exeajC91.exe

pid	process
4016	msedge.exe
4016	msedge.exe
2128	msedge.exe
2128	msedge.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
5328	ajC91.exe
5328	ajC91.exe
4828	avg.exe
4828	avg.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
5328	ajC91.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe
4828	avg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

g_.exe

pid process

6092 g_.exe

pid	process
6092	g_.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsiexec.exetaskkill.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	244	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: 33	3312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3312	AUDIODG.EXE
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	5380	taskkill.exe
Token: SeShutdownPrivilege	5960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5960	msiexec.exe
Token: SeDebugPrivilege	6056	taskkill.exe
Token: SeSecurityPrivilege	4128	msiexec.exe
Token: SeCreateTokenPrivilege	5960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5960	msiexec.exe
Token: SeLockMemoryPrivilege	5960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5960	msiexec.exe
Token: SeMachineAccountPrivilege	5960	msiexec.exe
Token: SeTcbPrivilege	5960	msiexec.exe
Token: SeSecurityPrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeLoadDriverPrivilege	5960	msiexec.exe
Token: SeSystemProfilePrivilege	5960	msiexec.exe
Token: SeSystemtimePrivilege	5960	msiexec.exe
Token: SeProfSingleProcessPrivilege	5960	msiexec.exe
Token: SeIncBasePriorityPrivilege	5960	msiexec.exe
Token: SeCreatePagefilePrivilege	5960	msiexec.exe
Token: SeCreatePermanentPrivilege	5960	msiexec.exe
Token: SeBackupPrivilege	5960	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

efsui.exeanti.exemsedge.exestopwatch.exemsiexec.exe

pid	process
1916	efsui.exe
1916	efsui.exe
1916	efsui.exe
868	anti.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
1084	stopwatch.exe
5960	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

efsui.exe

pid process

1916 efsui.exe
1916 efsui.exe
1916 efsui.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

setup.exeavg.exeajC91.exesoles.exe

pid process

5224 setup.exe
4828 avg.exe
5328 ajC91.exe
6904 soles.exe

pid	process
5224	setup.exe
4828	avg.exe
5328	ajC91.exe
6904	soles.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

P0lko.execmd.execmd.exe

description	pid	process	target process
PID 4620 wrote to memory of 2000	4620	P0lko.exe	cmd.exe
PID 4620 wrote to memory of 2000	4620	P0lko.exe	cmd.exe
PID 4620 wrote to memory of 2000	4620	P0lko.exe	cmd.exe
PID 2000 wrote to memory of 868	2000	cmd.exe	anti.exe
PID 2000 wrote to memory of 868	2000	cmd.exe	anti.exe
PID 2000 wrote to memory of 868	2000	cmd.exe	anti.exe
PID 2000 wrote to memory of 2544	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 2544	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 2544	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 4720	2000	cmd.exe	cipher.exe
PID 2000 wrote to memory of 4720	2000	cmd.exe	cipher.exe
PID 2000 wrote to memory of 4720	2000	cmd.exe	cipher.exe
PID 2544 wrote to memory of 4552	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 4552	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 4552	2544	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 4864	2000	cmd.exe	cipher.exe
PID 2000 wrote to memory of 4864	2000	cmd.exe	cipher.exe
PID 2000 wrote to memory of 4864	2000	cmd.exe	cipher.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3312	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3312	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3312	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1376	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1376	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1376	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 412	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 412	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 412	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2484	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2484	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2484	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 664	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 664	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 664	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3432	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3432	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3432	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3908	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3908	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3908	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1688	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1688	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1688	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 244	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2248	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2248	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2248	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 4944	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 4944	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 4944	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3096	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3096	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3096	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3764	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3764	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 3764	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 1032	2544	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5480 attrib.exe

pid	process
5480	attrib.exe

C:\Users\Admin\AppData\Local\Temp\P0lko.exe
"C:\Users\Admin\AppData\Local\Temp\P0lko.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\!m.bat" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6260
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\doc.html
    3⤵
    - Manipulates Digital Signatures
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe747146f8,0x7ffe74714708,0x7ffe74714718
      4⤵
      PID:232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
      4⤵
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:5016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
      4⤵
      PID:4120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
      4⤵
      PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
      4⤵
      PID:5396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6592 /prefetch:2
      4⤵
      PID:6864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
      4⤵
      PID:3936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
      4⤵
      PID:6204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
      4⤵
      PID:7140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
      4⤵
      PID:6660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13199893634596953211,11676874506566901594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
      4⤵
      PID:6008
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:32
  - - C:\Users\Admin\AppData\Local\Temp\is-GC5H7.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GC5H7.tmp\butdes.tmp" /SL5="$20164,2719719,54272,C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\butdes.exe"
      4⤵
      Executes dropped EXE
      PID:2376
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\is-VE5D0.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VE5D0.tmp\flydes.tmp" /SL5="$20160,595662,54272,C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\flydes.exe"
      4⤵
      Executes dropped EXE
      PID:3008
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:4876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\7zS403636D7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS403636D7\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:5224
    - - C:\Users\Admin\AppData\Local\Temp\7zS403636D7\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS403636D7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6ecc1b54,0x6ecc1b60,0x6ecc1b6c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5348
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5548
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6748
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x248,0x270,0x274,0x250,0x278,0xb54f48,0xb54f58,0xb54f64
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\is-NRNRL.tmp\is-9R0JD.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NRNRL.tmp\is-9R0JD.tmp" /SL4 $2008E "C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\ajC91.exe
      "C:\Users\Admin\AppData\Local\Temp\ajC91.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5328
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\is-PA1S8.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PA1S8.tmp\telamon.tmp" /SL5="$200AA,1520969,918016,C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\~execwithresult.txt""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
      - C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        
        PID:6072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\~execwithresult.txt""
        5⤵
        
        PID:5456
      - C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\telamon.exe
        6⤵
        Executes dropped EXE
        
        PID:5900
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1084
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\gadget.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5960
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5532
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5480
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\Bootstraper.exe
    Bootstraper.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5676
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5584
  - - C:\SalaNses\soles.exe
      "C:\SalaNses\soles.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:6904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\dng.html
    3⤵
    PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe747146f8,0x7ffe74714708,0x7ffe74714718
      4⤵
      PID:5552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:5164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4160
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\13569.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6596
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\13569.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:7020
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\13569.ttc
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\13569.TTF
    3⤵
    PID:6900
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\cobstrk.exe
    cobstrk.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2320
  - - C:\Windows\System\NGOJToq.exe
      C:\Windows\System\NGOJToq.exe
      4⤵
      Executes dropped EXE
      PID:6500
  - - C:\Windows\System\EBIbtQQ.exe
      C:\Windows\System\EBIbtQQ.exe
      4⤵
      Executes dropped EXE
      PID:6640
  - - C:\Windows\System\zfUPXrc.exe
      C:\Windows\System\zfUPXrc.exe
      4⤵
      Executes dropped EXE
      PID:3468
  - - C:\Windows\System\oJcIjwB.exe
      C:\Windows\System\oJcIjwB.exe
      4⤵
      Executes dropped EXE
      PID:4328
  - - C:\Windows\System\zeCucRQ.exe
      C:\Windows\System\zeCucRQ.exe
      4⤵
      Executes dropped EXE
      PID:3836
  - - C:\Windows\System\Dwnbyhk.exe
      C:\Windows\System\Dwnbyhk.exe
      4⤵
      Executes dropped EXE
      PID:4004
  - - C:\Windows\System\rUJzpVw.exe
      C:\Windows\System\rUJzpVw.exe
      4⤵
      Executes dropped EXE
      PID:4516
  - - C:\Windows\System\RHvvIGy.exe
      C:\Windows\System\RHvvIGy.exe
      4⤵
      Executes dropped EXE
      PID:6996
  - - C:\Windows\System\jyEMVHm.exe
      C:\Windows\System\jyEMVHm.exe
      4⤵
      Executes dropped EXE
      PID:6632
  - - C:\Windows\System\WxYRAXS.exe
      C:\Windows\System\WxYRAXS.exe
      4⤵
      Executes dropped EXE
      PID:6708
  - - C:\Windows\System\yjpqlqr.exe
      C:\Windows\System\yjpqlqr.exe
      4⤵
      Executes dropped EXE
      PID:3496
  - - C:\Windows\System\CtzckNZ.exe
      C:\Windows\System\CtzckNZ.exe
      4⤵
      Executes dropped EXE
      PID:6436
  - - C:\Windows\System\sFpSHAc.exe
      C:\Windows\System\sFpSHAc.exe
      4⤵
      Executes dropped EXE
      PID:5588
  - - C:\Windows\System\ZsimKlS.exe
      C:\Windows\System\ZsimKlS.exe
      4⤵
      Executes dropped EXE
      PID:5564
  - - C:\Windows\System\CqKeVSO.exe
      C:\Windows\System\CqKeVSO.exe
      4⤵
      Executes dropped EXE
      PID:5240
  - - C:\Windows\System\ZryoREw.exe
      C:\Windows\System\ZryoREw.exe
      4⤵
      Executes dropped EXE
      PID:6624
  - - C:\Windows\System\CxIzGaM.exe
      C:\Windows\System\CxIzGaM.exe
      4⤵
      Executes dropped EXE
      PID:6704
  - - C:\Windows\System\hxmQWOK.exe
      C:\Windows\System\hxmQWOK.exe
      4⤵
      Executes dropped EXE
      PID:6944
  - - C:\Windows\System\XtrBlDd.exe
      C:\Windows\System\XtrBlDd.exe
      4⤵
      Executes dropped EXE
      PID:6432
  - - C:\Windows\System\BvtPRgE.exe
      C:\Windows\System\BvtPRgE.exe
      4⤵
      Executes dropped EXE
      PID:7000
  - - C:\Windows\System\EqODKPR.exe
      C:\Windows\System\EqODKPR.exe
      4⤵
      Executes dropped EXE
      PID:6252
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\jaf.exe
    jaf.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:6368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6936
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\file.exe
    file.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6384
- - C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1052
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C85.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:288

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\13569.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\13569.TTF

Filesize
134KB

MD5
cfce6abbbff0099b15691345d8b94dcc

SHA1
a2f9ca2ae529a6cc03cad88fefb0a0e45b7046f4

SHA256
3a9cbb5d75b2a2b0d22dc94571608e4e9dc7b88e825374985880c5722c1c9e5f

SHA512
ec7d8f9c4c326bba42997d85262bb049139d4c874a81ed08e238a7ebf6524aeaeed9cd91be6bfa24500c63f46387dea509c68c0c50bb448e44a9550fe7e5b7d5

Download Submit
C:\GAB\13569.TTF

Filesize
1.1MB

MD5
1d2b07df8f3696e0abf498e12ebcc7ef

SHA1
39661fdfeeba49ccfa7c6a08b1e855166df5df26

SHA256
b41fbe0ded6d4570059ca8d01eb0f826defeadc30bbb90792ddae1856383b2dc

SHA512
845f98e91222b6146363d16e17c627932ef0e30601ea20c506f2230a8b3a41955d60cc730f6796bd71cca3b2332c86209bdf838e6e81f4762ddeeab8f2add23d

Download Submit
C:\GAB\13569.TTF

Filesize
1.2MB

MD5
38459b9b11d6f545d9de45d1212553f7

SHA1
0e9e506efe139e491a2f21a17215e40716de434a

SHA256
0143fa4f4ba528581c89719b77545e8920c9555ad2daf0cce179e019697d774b

SHA512
50fab538ce6dd48b3941a2c374927b6f897c3ae0e472b11d923301dbeb7681e3da84b7e938f809d7903d7f09bed8b307740b01c2adebac11205bc789eedf21af

Download Submit
C:\GAB\13569.TTF

Filesize
448KB

MD5
ca4196be1f7e21934449efec3b4ccf08

SHA1
bb903bd5541a49744ca5617d221b5ac53d36c36b

SHA256
d514aa819d652e90c03a13c961d5542b84a45c9c4c880cee3b935a8c02dd1df5

SHA512
46b1df065397b2fdfcd58d675151992fd33026aaa7be9629e0880b2b373c3a88f25886556216a7effc8ff4f41d5069bcc08cc3cc53bd8b944bfb58a55b5cde83

Download Submit
C:\GAB\13569.TTF

Filesize
892KB

MD5
d09506f8074b406a4d333c56f0ec6b24

SHA1
b2de207229c20beffd38675c6c998d427d8a0909

SHA256
bb85ded3d7c21b0a60c70d84b37052eb008627ae149d9cb8af84fd92551d91f0

SHA512
7dc78eda74871d1b9e3a64e62c52d3a9c0a9bbfed844bdae2ecfd9e479b409b8ac6ee543c631390d4f1efdd3f70ecda89a167f27553a3b6845170c25e912ead1

Download Submit
C:\GAB\13569.TTF

Filesize
832KB

MD5
6523667543d2b9dff6a7b4c9ee4b5219

SHA1
d009dde4860d13c9e2e7c038fe8d56401a782d6d

SHA256
ade337b4ba4072c48ed33a71ca0987fb9e8e92a208dfc6b536b853d45657392e

SHA512
d9bc8efe1bc2609b64f48372fbf0b3b9cd0156d14014cf87452f515ba632ae5586dce3cfef5dbed13d363c5a594cdc98e74446a0b30b644413148cd783e88bc7

Download Submit
C:\GAB\13569.TTF

Filesize
834KB

MD5
ef9f5da3e4340c63e73e5245a06da53a

SHA1
77f77790a8cdd1cbbafbeee94949b5cff6689de3

SHA256
a0a1e4fd375854288a4416f8a5dcfee586ae9cac08551e2038cbe8ea6a1bbec6

SHA512
a13d6c583b7c65ac701cc4def6bc7cfad0328ddeeaa2db5dd439a41406df7261af48928aa5f2d7ce6e318c8f683082f63fbe671ae6a7784133b5169cc3bd1040

Download Submit
C:\GAB\13569.TTF

Filesize
4.4MB

MD5
c781b31b8bdbc720a9218324c30e3ac2

SHA1
ad446316b17303cf4a2a3749abfa5b1c9a083a6f

SHA256
f936308194b56bcacee5552c53b4dbf773141cc2582ecbb96b3d00232e262233

SHA512
7ab2f629b9dfcb89723fa84be33bb093569b13dc28f83c7d9803c95f045d719d3e822bd8f818923daf27bf7aed371aab54127b18d3281bd51d3b49bef17a77d9

Download Submit
C:\GAB\13569.TTF

Filesize
224KB

MD5
8924123111f4a88ec9a4541aa713db53

SHA1
342cd5a4ce1d036d72ead842478d3ac2514760f9

SHA256
d71f81c83ec63eaa32d36d5df7be1d9e71d3ea9150f47cebda2924923cbbf18a

SHA512
c02ee1f193fb9f5bf1adee4bf6fea02db1f718ec74c6900419cccdc52e4d1ad6e5c540716c717655153f69b0a4daa6b3832ec9222f803efb181ac8954a032c8f

Download Submit
C:\GAB\13569.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\13569.TTF

Filesize
821KB

MD5
c8a09a7fe7516b62c16c3ef271630be6

SHA1
4ee13d2e71baf2647a4133ab400b8abf272d6448

SHA256
3ac6802524d8429ffbf8083487159bff180e52edeab9732ff901a799d4cec985

SHA512
2c837c4071ee1a8969fd876d49ce0806cda546232106dc80d5d2910b7f8bf4bcddc9a36609d56dfa663d2f24cc9e8d321399f8b37f08daa8bb0d6af28e496fe9

Download Submit
C:\GAB\13569.TTF

Filesize
284KB

MD5
3ad8d4727d600d1d1af31394454235be

SHA1
ef9dd2983857b8b41cc8aff1b8fb421aefa3588e

SHA256
fa008372f8a94945d0daef9daf0bfb9e3fba3a25fd17f2607d47ac6861bd0303

SHA512
13280eaecafa2e2a0c51c57d2b2a91fbf96cb90048543930279dc68a5c3bdda03064ae208bff3ecc7d025fddfe4c29102f8f5404fbf02a64e7fdbeb420fcc10d

Download Submit
C:\GAB\13569.TTF

Filesize
287KB

MD5
82bd7555c2aa0f84e52572b4302e0131

SHA1
db8a678e01c37ff2e2da7ad3b097cab391c25e1a

SHA256
588f090ae3a6d31370457312683d14ee3a5bfbdaaa0a070b7c80225b55b23e78

SHA512
f2016856108281bd3ba4edb0b6343df298c6ee58ac36bf2d077b6be4841120601c8939d28accfe8d157a70b10904fda0432cb3dabb261e55667710d51ed168dd

Download Submit
C:\GAB\13569.TTF

Filesize
895KB

MD5
22508d1da53ecaf941350c4a2e060f3a

SHA1
3d6c3fd552fc7805be4564f157fb04565757230c

SHA256
1e016947ceedd2b46dd098b5a033526ef4f0c0e7d58968a2203ab69443949350

SHA512
6714839cce53bde210988c1cda61b4587dc3facaa13e94425960eb25b16e90dcb8d4cc5e8737e467c227d33d582d4e45cba1eafc8db7035b57ff033c5ba1fe19

Download Submit
C:\GAB\13569.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\13569.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\13569.fon

Filesize
12KB

MD5
dcfe71d27bf49ba16fde0d1945bfb4a2

SHA1
86b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1

SHA256
eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811

SHA512
4da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3

Download Submit
C:\GAB\13569.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\13569.fon

Filesize
64KB

MD5
5dc2da595c0cd6a29d7bb6fa9697810a

SHA1
b71be3483288c5db47625c3f01cb124d8e6e69fb

SHA256
b99ad27d296e74fd6dc795c524f3312f41d0b2ec5ce88554511fd7b3dba2d4c7

SHA512
f747d8de7edea9f1b7e24e1a336a9809acd822025b2992d2e85183fc0b7d71bdd29c0dda16db4295523e4e9ba701feff226689975d97dbd8ab9e869be47f12cb

Download Submit
C:\GAB\13569.fon

Filesize
95KB

MD5
a88c8cf32634073f465f3bd834187468

SHA1
8094cee4fc99bd7b449d35e803d979c676ba02f8

SHA256
770ee7e6b277155fbe0ad0c6f5c8365b16cbf7f7cd86c89ad1f04e0d81695558

SHA512
958b00792a30a2124f10e43b1eba4190438ee7b6a7a931f15a77906e03ee0604f9c3489a1c5218c88f2b173fa803dc3f9847a3ddfade393c929e3a6b14a5bf29

Download Submit
C:\GAB\13569.fon

Filesize
6KB

MD5
cb0c5c52a03272adc0c3b32f566ec791

SHA1
160598938b693e80a834e4917c8bae5f4d9b1b94

SHA256
766b20cd7a4c905b91eea6d0782e71b852caa1531a6a1fc43921943d95f6aa8e

SHA512
b0c8364b7ec2453da8331e8f8b2e4f02d656ef3897313a03d95a5fdc10a410bbd085b272cf4cc1ca8fae2dc1f643eb3e6444451600937dfc24698b7db03044d8

Download Submit
C:\GAB\13569.fon

Filesize
5KB

MD5
e5f5a5502d3f7c6588288c0d9696fba5

SHA1
449ef97c8b704591518c996bcdd872fdc1639259

SHA256
496b3a671d898d7f451831168af63160c7bdeea47d6ef023fa7da0943744d355

SHA512
d51202eaef95ab84ea4142035aed42c8a99c09e1da175a72ef9b2053c93c3bb3678fe02f22916518703054e5eb51a617c5ac29cc1c72562d8cea7359d29974d1

Download Submit
C:\GAB\13569.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\13569.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\13569.fon

Filesize
8KB

MD5
b6957df280018689a444e32444d9c541

SHA1
98ae6afa03b1202cdcf13583444cd61f45d38be0

SHA256
3deef61582bea18f8073c862873a9c373df13143b7de302f66cdfa23cb535c3f

SHA512
f3813b2a448fe33246d58968f12225e7a2b21ab92d01445d8d134cb9e1afe0415275a35c741493b7060a0c13d94fe4bfd48e2dea25cc7647021e6c60d54247b6

Download Submit
C:\GAB\13569.ttc

Filesize
11.6MB

MD5
ee91c2903c341b3ce339cdb85ae23d35

SHA1
698e8b918b71dec6c9334c27deea9ff7a93ec607

SHA256
bc538de3dc17f25d27709fb9834b18032a1b30f0f0e5e83553a9ea5c6c824e18

SHA512
6d1a3e37f97067754ed9c9fb3ce5e3253eaa7406a4b94d60a11319f17497f1f1f3b3b9d0653be29bb466b55e048a5526091cdc48cf093ddf88d70ec781865cb3

Download Submit
C:\GAB\13569.ttc

Filesize
957KB

MD5
69477e688bc7ba8aed8d51c638cdf46d

SHA1
1c8b1b7055d62bcfa1f39548fa4c9904d0e1865c

SHA256
9ba07e98c2dfe00c7f00a44cc74da52a9818d39988a105c6af6974a63d04b9ad

SHA512
fd0f8b61b27df49e5705ac46436d888f55f2905e85873278ab3e41e5cfbc72701a6324dd46b2554592e7b0c22042a5903ee6896a874d1829c0bb682d9276b880

Download Submit
C:\GAB\13569.ttc

Filesize
13.0MB

MD5
e868c731ec770c425dbc74881b3ca936

SHA1
a8dc99a2e0bc3360f8441243aab13fe7279a759a

SHA256
1e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c

SHA512
51bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49

Download Submit
C:\SalaNses\soles.exe

Filesize
1.2MB

MD5
acebc69ae67997867002990dae3f699d

SHA1
8483b45b2faaa21ad548e72fb49ae3a08143334e

SHA256
f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442

SHA512
6c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
e3589b4b225b883a87c2648dd1c714b8

SHA1
c5391df178e086958090563731e539d1453b9735

SHA256
0ef5f502a96f239c6ce80a0c013965acd5fffd235986b3770e9350cf9c6e49b0

SHA512
ea9e63896874212dc624db909ab039f24e47f762d4fda00e1c4ac03a71c8a630dbb96a3972a9f17b7a39553b54c7d459b3e0ef2f435fd768c2c091486fee6a1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
ed42fd8c3a9358b52ed7e95f8c801529

SHA1
00063eb21db8356b52ad00dfc00ead5a48a098e4

SHA256
fa40b1dd1967807eb072fa27a6a0f96f42acda46fcfa74adbd8a77fd26579163

SHA512
0f586dfb14545eec97a0780fc568d94abcd73c6ec5c689cb59d50a56e92cac170a89c907e89dce254fe5a29afd31d4a165813e7aa14f012d2e9968dc7447149c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
99d573400bdcfc25fb29ae69a6f41805

SHA1
f5b3d2d7b50080c053a6e6296f869069a8204e66

SHA256
a036d01ffccd9c1a2ec7703f8f9a878547c5f48f0ee4a544bd7c72063a80edd5

SHA512
26d943dde60cfcbdcebead09d9d7997de9248b34a6d583b55ddf471d6e89d3e5cc3fd9875371df6b44f2bc2ecc43edd4cf90826890e6136ad53e8bc1673053ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7f4597c91a9a1446c41021c405a2c607

SHA1
b868b98c5f775ffa6bab5456948639cf51470630

SHA256
cb642e33fd6b4138223db24685f27f27caf07468cff819a5b8af5f4a2d143949

SHA512
5bc23463daa716927e8cc438f6374d078704a75ae387c385c49fe39053ded31187ca4f391107ee4f7f49dcc46c08618c4c4f7e6cc36bed80105b1158126907cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c71ffeb77f68a5b6fdcf57b31ecd32de

SHA1
71db0ac60bad20daa5a2b985f54a0f47ee8c478c

SHA256
cc36d231982020999b70c11a62e5c29c38b8a0824b15d633b3f7fe250cf54c42

SHA512
423828a031c97e9a52fa5cd34b2e0748f7ad32ca22a0664399fa9d79293b358f5831c01666dd64b3028e239bfaabc040d9a13adc750a6b68bcdc311ac3631ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
18a86ebce87d1c3a397b6e533bfba4c8

SHA1
a3e48e32093853f2194b3a8b6b2ff4f0f5a84d53

SHA256
2865597b44a87b14d02edafef2622de013ddf5bf28c3992f9f24372edebf45b3

SHA512
b8aa7e01126c4f950041007b9d033db4deaff5dbcc64a9af1a6c9ef1037715fa90df8cf618e7a1ff834c86034e8afeee1cf7b13942e53885c9caccf4bd014b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab0ce49f19ce668d27359c663af9e0ae

SHA1
7fac8c3fcf7e382a950ce600f7d3e6faf355f8ec

SHA256
6761b6d95e381265597acb4f6f41b8e4da446ada9a3e315bdfadc5edf12a8298

SHA512
0ff7a2c291b6f588f1cbc0675fcf7bede50879aa7e74e71deecd50606c49d83a1a9b9c3bd370412fa2b9019e614b21715d011b62597c36ff623da59467854572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2e331cec13ec89765084aaa74adfd28

SHA1
ee30d7b0d3aa41b3de13b047dc710d9bb84e08c7

SHA256
b24d1ab82bc1a271d71a05d05874f526c9f158b599bdc526c7a765bc7734dbbe

SHA512
56d1393816376f6653d4a7f39db6adc7398b1cadb538fb1cdf6bf83a45b43a0aef28a44764eb69e53372ffe34db0948c77582c11ad033f7d62abb5e9869ea3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bbe579e3c18e108d2d29ce272b27a81

SHA1
24c07483bc294d9b3be6f36a90e4695693521d2b

SHA256
7b8a0599362630d5babd3463e2099f3693cccc6c2fb219f6ab772dd29de895cd

SHA512
aab348b0d483d08c4e59a3a48bc658954263900fccc3f582ccfc54837e317a01c2559eb314e048ee1f00179d7c002a4588064f87c990722f3d80b329c5161e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cbc352558279d35fb0014809aecc617a

SHA1
0dcae5872d31891f16f3629e726cbef63a211436

SHA256
cf0f5265d54aa1acea53d30aa3bc0e8dc93c922207051e5b5afe9670eccce46d

SHA512
87360b31a5fbf7ac26349d0f7c57ac231873fa6f3ff125007cb6d302a1f9c38c7880221dcc5355de9b03a191caffdda110661923299b82db2d86d9f1a7c213e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131515591\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS403636D7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409131515581565224.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\!m.bat

Filesize
1KB

MD5
d295fd5b892b165427abecd1b5aac987

SHA1
ec1bb8ab7bb5ffd6d1c971fde332dab00f78cf5b

SHA256
855a00d99d2cb67512ca1fb49a9954bc085ed9ada3a2d2226757bb347e2cad58

SHA512
800d97dfdb1ef9923c82bf31a77b4cad49bf886aa055d5ee7f4396bc6bcd597a9e638ccdd1cd4878de7d8d273d60228604f97ee6e5b07668002fb08e9636f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\VCRUNTIME140D.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0lko_b2777105-94e8-4a91-9ee9-8fb7018fa785\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbhcwznl.dir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60PGM.tmp\tt-installer-helper.exe

Filesize
404KB

MD5
5b4c8e63be988b83b09e13e9d1d74bb9

SHA1
bcb242f54ee83f232df6b871aebc0f3d44e434c6

SHA256
8ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d

SHA512
a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NRNRL.tmp\is-9R0JD.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PA1S8.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VE5D0.tmp\flydes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE16.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE16.tmp\CR.History.tmp

Filesize
124KB

MD5
c1521da8e837ba2e6fc534f78e1f7ded

SHA1
c78f461da9930e90fde1a2110ab2c46dea447b7d

SHA256
28d2709be197536db8e841b3e31775e07b51c6aec8e34c0b533496f44ddf25cf

SHA512
fd7ee41388748a4dd7e6064bb847f6777867ddf3fa493cb7f95176f75af2d2dc4839d990ed56d3a841388fcda9a9d368a847f34db8eef63a8e0c1058541be104

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE16.tmp\FF.places.tmp

Filesize
5.0MB

MD5
cbece3c2194c72ccb5970bc76f5b257e

SHA1
b33cddd26253cf1fbbf7e63f9529fc0f8ad270cb

SHA256
5217ba740476f6b332769e9e84b8f2ecdec8c1f4ad7145c9a9b802011644353a

SHA512
4f3de0fe5a2ab6d1e7685a79b6cfbdc69740bd7853a52afb5bb189ad21b8b899cea19522ac1e7e02dbd4e58fc3794e7ae3cb9faa429988573ec5b5748b77af3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE16.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF0DA.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF0DA.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF0DA.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF0DA.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF0DA.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E7E70E1-3B57-49C0-9EEF-3918EF2E8DC4}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit
C:\Users\Admin\AppData\Roaming\TESAYt.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Windows\System\NGOJToq.exe

Filesize
5.2MB

MD5
d86b078cb3e9da67f6c656c184e231fc

SHA1
b4a7e554c4e10433d08e93a0df6079c0e873c4ed

SHA256
5f75f58f4e74f7434186399b938e64cd30f5b2123f661bf59fe75fba0bcfe4b6

SHA512
932e14e7bb85fe40b4611683c4945ee312d877610df2a5cdc980202014b287b5c0b35a461e78d207e84306c56bf0fd441f663275a88f5bc2d354dcc98aede4c2

Download Submit
\??\pipe\LOCAL\crashpad_2128_EJAXZLOHLRYDXQBB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-264-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/32-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/288-2321-0x0000000006330000-0x0000000006380000-memory.dmp

Filesize
320KB

Download
memory/288-2293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/804-404-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/804-169-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/868-54-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/868-243-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/868-59-0x0000000005BF0000-0x0000000005C46000-memory.dmp

Filesize
344KB

Download
memory/868-58-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/868-57-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/868-52-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/868-53-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/868-51-0x0000000000E60000-0x0000000001052000-memory.dmp

Filesize
1.9MB

Download
memory/2036-405-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2320-2153-0x00007FF6CC7E0000-0x00007FF6CCB31000-memory.dmp

Filesize
3.3MB

Download
memory/2320-2173-0x000001E503D60000-0x000001E503D70000-memory.dmp

Filesize
64KB

Download
memory/2320-2276-0x00007FF6CC7E0000-0x00007FF6CCB31000-memory.dmp

Filesize
3.3MB

Download
memory/2376-266-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2388-2154-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2388-2277-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2412-422-0x0000000009BE0000-0x0000000009BEE000-memory.dmp

Filesize
56KB

Download
memory/2412-415-0x0000000006550000-0x0000000006558000-memory.dmp

Filesize
32KB

Download
memory/2412-364-0x0000000000F70000-0x0000000000F8C000-memory.dmp

Filesize
112KB

Download
memory/2412-421-0x0000000009C20000-0x0000000009C58000-memory.dmp

Filesize
224KB

Download
memory/3008-267-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3164-265-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3164-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3468-2223-0x00007FF6F9CA0000-0x00007FF6F9FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3468-2291-0x00007FF6F9CA0000-0x00007FF6F9FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-2262-0x00007FF65C210000-0x00007FF65C561000-memory.dmp

Filesize
3.3MB

Download
memory/3836-2283-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-2235-0x00007FF6EB0A0000-0x00007FF6EB3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-2237-0x00007FF626F20000-0x00007FF627271000-memory.dmp

Filesize
3.3MB

Download
memory/4136-158-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4136-403-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4328-2226-0x00007FF678970000-0x00007FF678CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-2345-0x00007FF678970000-0x00007FF678CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4516-2261-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/4516-2341-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/4620-195-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-1-0x0000000000630000-0x000000000067A000-memory.dmp

Filesize
296KB

Download
memory/4620-2-0x0000000002980000-0x00000000029A4000-memory.dmp

Filesize
144KB

Download
memory/4620-3-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-4-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/4620-148-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4620-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4620-2172-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/5172-406-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/5240-2254-0x00007FF641A50000-0x00007FF641DA1000-memory.dmp

Filesize
3.3MB

Download
memory/5304-280-0x00007FF645E30000-0x00007FF645E57000-memory.dmp

Filesize
156KB

Download
memory/5532-289-0x00007FF77CA10000-0x00007FF77CA36000-memory.dmp

Filesize
152KB

Download
memory/5564-2253-0x00007FF7E7730000-0x00007FF7E7A81000-memory.dmp

Filesize
3.3MB

Download
memory/5584-598-0x0000000066750000-0x000000006679C000-memory.dmp

Filesize
304KB

Download
memory/5588-2252-0x00007FF7E2E50000-0x00007FF7E31A1000-memory.dmp

Filesize
3.3MB

Download
memory/5676-637-0x0000000066750000-0x000000006679C000-memory.dmp

Filesize
304KB

Download
memory/5680-617-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/5680-709-0x00000000066A0000-0x00000000066A8000-memory.dmp

Filesize
32KB

Download
memory/5680-433-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/5680-572-0x0000000006A10000-0x0000000006A42000-memory.dmp

Filesize
200KB

Download
memory/5680-690-0x00000000079C0000-0x00000000079CE000-memory.dmp

Filesize
56KB

Download
memory/5680-698-0x00000000079D0000-0x00000000079E4000-memory.dmp

Filesize
80KB

Download
memory/5680-423-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/5680-424-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/5680-705-0x00000000066B0000-0x00000000066CA000-memory.dmp

Filesize
104KB

Download
memory/5680-659-0x0000000007990000-0x00000000079A1000-memory.dmp

Filesize
68KB

Download
memory/5680-636-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/5680-425-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/5680-583-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/5680-496-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/5680-584-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/5680-573-0x0000000066750000-0x000000006679C000-memory.dmp

Filesize
304KB

Download
memory/5680-407-0x0000000004E90000-0x0000000004EC6000-memory.dmp

Filesize
216KB

Download
memory/5680-631-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/5680-618-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/5680-495-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/5680-408-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/5836-306-0x00007FF66FA80000-0x00007FF66FAA6000-memory.dmp

Filesize
152KB

Download
memory/5836-567-0x00007FF66FA80000-0x00007FF66FAA6000-memory.dmp

Filesize
152KB

Download
memory/6092-509-0x00007FF6066F0000-0x00007FF606719000-memory.dmp

Filesize
164KB

Download
memory/6092-268-0x00007FF6066F0000-0x00007FF606719000-memory.dmp

Filesize
164KB

Download
memory/6252-2260-0x00007FF6C1510000-0x00007FF6C1861000-memory.dmp

Filesize
3.3MB

Download
memory/6312-2156-0x0000000000250000-0x000000000033A000-memory.dmp

Filesize
936KB

Download
memory/6312-2284-0x0000000006560000-0x00000000065E2000-memory.dmp

Filesize
520KB

Download
memory/6312-2232-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/6384-2160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/6384-2161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/6432-2258-0x00007FF7C0510000-0x00007FF7C0861000-memory.dmp

Filesize
3.3MB

Download
memory/6436-2251-0x00007FF7EA3E0000-0x00007FF7EA731000-memory.dmp

Filesize
3.3MB

Download
memory/6500-2289-0x00007FF79ACA0000-0x00007FF79AFF1000-memory.dmp

Filesize
3.3MB

Download
memory/6500-2197-0x00007FF79ACA0000-0x00007FF79AFF1000-memory.dmp

Filesize
3.3MB

Download
memory/6624-2255-0x00007FF730E60000-0x00007FF7311B1000-memory.dmp

Filesize
3.3MB

Download
memory/6632-2244-0x00007FF7C6E20000-0x00007FF7C7171000-memory.dmp

Filesize
3.3MB

Download
memory/6640-2282-0x00007FF777F20000-0x00007FF778271000-memory.dmp

Filesize
3.3MB

Download
memory/6640-2219-0x00007FF777F20000-0x00007FF778271000-memory.dmp

Filesize
3.3MB

Download
memory/6640-2340-0x00007FF777F20000-0x00007FF778271000-memory.dmp

Filesize
3.3MB

Download
memory/6704-2256-0x00007FF772250000-0x00007FF7725A1000-memory.dmp

Filesize
3.3MB

Download
memory/6708-2344-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp

Filesize
3.3MB

Download
memory/6708-2246-0x00007FF6B91C0000-0x00007FF6B9511000-memory.dmp

Filesize
3.3MB

Download
memory/6836-2159-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/6836-2157-0x0000000000E70000-0x0000000001012000-memory.dmp

Filesize
1.6MB

Download
memory/6836-2158-0x0000000005960000-0x0000000005A42000-memory.dmp

Filesize
904KB

Download
memory/6904-1770-0x0000000000C40000-0x0000000000FFB000-memory.dmp

Filesize
3.7MB

Download
memory/6904-672-0x0000000000C40000-0x0000000000FFB000-memory.dmp

Filesize
3.7MB

Download
memory/6904-1398-0x0000000000C40000-0x0000000000FFB000-memory.dmp

Filesize
3.7MB

Download
memory/6944-2257-0x00007FF7F90C0000-0x00007FF7F9411000-memory.dmp

Filesize
3.3MB

Download
memory/6996-2294-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp

Filesize
3.3MB

Download
memory/6996-2243-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp

Filesize
3.3MB

Download
memory/7000-2259-0x00007FF6724B0000-0x00007FF672801000-memory.dmp

Filesize
3.3MB

Download
memory/7064-2314-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/7064-2304-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download