Analysis
-
max time kernel
1200s -
max time network
1199s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 18:02
Behavioral task
behavioral1
Sample
P0lko.exe
Resource
win10v2004-20240802-en
General
-
Target
P0lko.exe
-
Size
58.8MB
-
MD5
92324704460069685d278b419076e962
-
SHA1
5c89b31ee9e989d455433e5441eafea5c6a8d208
-
SHA256
39273dc31814624c3e37db9b826fcabce650612235f830d720284eccc472362d
-
SHA512
347ce3fd432fc548c075e5ffd62c3355511ffa987d52e2e3f01cda04e3b43a7a2bfbd076347293fe66b6ad9d062c67457134b5d21f444ce7623a1866a84a657d
-
SSDEEP
1572864:8LOrJXzVj0mz3uu2etPQiWmoh8rEf8CQG2Y:8LqJXBj0kuu3IDmnrEAY
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Extracted
lumma
https://murderryewowp.shop/api
https://complainnykso.shop/api
https://basedsymsotp.shop/api
https://charistmatwio.shop/api
https://grassemenwji.shop/api
https://stitchmiscpaew.shop/api
https://commisionipwn.shop/api
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000400000001e781-2374.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2064-2497-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 -
XMRig Miner payload 20 IoCs
resource yara_rule behavioral1/memory/6252-2435-0x00007FF722A10000-0x00007FF722D61000-memory.dmp xmrig behavioral1/memory/5876-2433-0x00007FF6A8250000-0x00007FF6A85A1000-memory.dmp xmrig behavioral1/memory/7056-2442-0x00007FF799D10000-0x00007FF79A061000-memory.dmp xmrig behavioral1/memory/2040-2451-0x00007FF79DA80000-0x00007FF79DDD1000-memory.dmp xmrig behavioral1/memory/1184-2452-0x00007FF7323C0000-0x00007FF732711000-memory.dmp xmrig behavioral1/memory/7064-2456-0x00007FF7B4DE0000-0x00007FF7B5131000-memory.dmp xmrig behavioral1/memory/6672-2457-0x00007FF6BA0B0000-0x00007FF6BA401000-memory.dmp xmrig behavioral1/memory/6480-2459-0x00007FF659180000-0x00007FF6594D1000-memory.dmp xmrig behavioral1/memory/5592-2462-0x00007FF74D930000-0x00007FF74DC81000-memory.dmp xmrig behavioral1/memory/1460-2458-0x00007FF781D40000-0x00007FF782091000-memory.dmp xmrig behavioral1/memory/5572-2464-0x00007FF7B3A30000-0x00007FF7B3D81000-memory.dmp xmrig behavioral1/memory/6468-2463-0x00007FF73C340000-0x00007FF73C691000-memory.dmp xmrig behavioral1/memory/5268-2465-0x00007FF786ED0000-0x00007FF787221000-memory.dmp xmrig behavioral1/memory/6668-2448-0x00007FF7AD5D0000-0x00007FF7AD921000-memory.dmp xmrig behavioral1/memory/6580-2447-0x00007FF7C5610000-0x00007FF7C5961000-memory.dmp xmrig behavioral1/memory/5764-2491-0x00007FF7A8E10000-0x00007FF7A9161000-memory.dmp xmrig behavioral1/memory/2812-2498-0x00007FF6C5250000-0x00007FF6C55A1000-memory.dmp xmrig behavioral1/memory/6840-2499-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp xmrig behavioral1/memory/6356-2500-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp xmrig behavioral1/memory/6312-2501-0x00007FF6962E0000-0x00007FF696631000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5524 powershell.exe 2380 powershell.exe 1492 powershell.exe 3408 powershell.exe 5740 powershell.exe -
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\E839C29D03828286362A23C54C921A216DF79497\Blob = 0f00000001000000140000005add04f578817f388d0a4a7de75430ccaf35632e0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000660062003200360031006500340035002d0036003800390032002d0034006300360032002d0039006200310062002d0037003500620031006200380066003400340066003000610000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000e839c29d03828286362a23c54c921a216df79497200000000100000000030000308202fc308201e4a0030201020210496920e27c6d90b0434b0a84cd07c5a2300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931333138303333355a180f32313234303832303138303333355a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c08c2c6b347adb5148cfda216114cc3817dc9ce1222b5b3db6ad6ecb8b4b54ae117f91401f9672cf2033c08b6e3565c504acdb1011c9389c629d3bb7ac064299f8df410c0de954092ab717c8aa289edae2abd31e66482de8ea68042e04393262b6e9c8fb67a1caf3a90af4c07c418cbe5b142c06fd6da030aded98f9d17c731e9e3b0ade83df43ab7c47b711758d9188a17e9465480a6d4f33c16bd20418ff5ab56b1091210716414f46eaa4370728a48e131854de17fcb1403cddd0044be648b6cc0dd422f62640b70c05667583a92f637931d0959973b2559939d786cd190915a1acd47bc097dd95d976dafcd2e86815a3743d5502f92135f64e52e0ede8490203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404453455958554f440030090603551d1304023000300d06092a864886f70d01010505000382010100096053329ee16e450407f4c186a5fccdf041ea0a4bdf9a367003f2f8c08b219203539a02ec3668b8f3d92686e18a6acba49d1d22e6a76accc49990dc364ef8d95fd6e18a953cd9cad4ba0b5a65cdb481d70ef09f959defe185e597bde7712926aa40431ba1a1bfba18c59ac35f942a345e52f8426be446cc99f7097b4fe4b6432a01be1939ab01a95c2a39f8a2368a5e5560cfc43bcded48ef096a4d5efc642e8aa7bae5640e112a4294a09a3a34b59d61c6014edaf99a07f935cc1ec2e710e91a55686fe64ba348123705568afad63520e1f0b1060e43935159da69a0e97b46801f3b03fdce87119b0517dfe21e843ec38674a718ea3daabc1a639eaf30f34a msedge.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2732 attrib.exe -
resource yara_rule behavioral1/files/0x00070000000234e4-74.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation PurchaseOrder.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation avg.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation aj9BD1.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Bootstraper.exe -
Executes dropped EXE 57 IoCs
pid Process 5004 stopwatch.exe 4996 anti.exe 4500 screenscrew.exe 4200 PurchaseOrder.exe 5672 butdes.exe 5688 flydes.exe 2212 i.exe 6016 butdes.tmp 6024 flydes.tmp 5928 gx.exe 6056 bundle.exe 5124 rckdck.exe 5580 is-QMH97.tmp 5724 avg.exe 1092 telamon.exe 1696 telamon.tmp 5760 setup.exe 5960 setup.exe 6004 setup.exe 5236 tt-installer-helper.exe 5576 tt-installer-helper.exe 5660 aj9BD1.exe 5252 g_.exe 2180 t.exe 4000 g.exe 5236 e.exe 5208 Bootstraper.exe 7064 soles.exe 5408 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 4004 assistant_installer.exe 6576 assistant_installer.exe 6616 neurosafe.exe 5764 cobstrk.exe 2064 jaf.exe 6312 culSCxk.exe 2812 GKnryjc.exe 5592 dwfjVLY.exe 6388 PihUOOY.exe 5536 file.exe 6840 uCEqbTX.exe 2732 mguLVKj.exe 5876 UbcBxgT.exe 6252 dYClVYN.exe 6468 ciDYLiR.exe 6356 DMBBKMy.exe 7056 ODZKjDT.exe 6580 uMkacuj.exe 6668 HqPPWyk.exe 2040 ipxMgpC.exe 5572 wEJriFR.exe 1184 LmopYUN.exe 7064 GsrLbbf.exe 6672 ZgiliIu.exe 1460 deohgmn.exe 5268 UonsfGc.exe 6480 aKpBHKY.exe 7140 OHSHIT!.exe -
Loads dropped DLL 26 IoCs
pid Process 5760 setup.exe 5724 avg.exe 5724 avg.exe 1696 telamon.tmp 5960 setup.exe 6004 setup.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 2180 t.exe 2180 t.exe 4000 g.exe 4000 g.exe 5236 e.exe 5236 e.exe 5660 aj9BD1.exe 5252 g_.exe 5252 g_.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/5764-2367-0x00007FF7A8E10000-0x00007FF7A9161000-memory.dmp upx behavioral1/files/0x000400000001e781-2374.dat upx behavioral1/memory/2812-2380-0x00007FF6C5250000-0x00007FF6C55A1000-memory.dmp upx behavioral1/memory/2732-2423-0x00007FF656660000-0x00007FF6569B1000-memory.dmp upx behavioral1/memory/6840-2409-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp upx behavioral1/memory/6252-2435-0x00007FF722A10000-0x00007FF722D61000-memory.dmp upx behavioral1/memory/5876-2433-0x00007FF6A8250000-0x00007FF6A85A1000-memory.dmp upx behavioral1/memory/6388-2404-0x00007FF75D4A0000-0x00007FF75D7F1000-memory.dmp upx behavioral1/memory/7056-2442-0x00007FF799D10000-0x00007FF79A061000-memory.dmp upx behavioral1/memory/6356-2436-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp upx behavioral1/memory/2040-2451-0x00007FF79DA80000-0x00007FF79DDD1000-memory.dmp upx behavioral1/memory/1184-2452-0x00007FF7323C0000-0x00007FF732711000-memory.dmp upx behavioral1/memory/7064-2456-0x00007FF7B4DE0000-0x00007FF7B5131000-memory.dmp upx behavioral1/memory/6672-2457-0x00007FF6BA0B0000-0x00007FF6BA401000-memory.dmp upx behavioral1/memory/6480-2459-0x00007FF659180000-0x00007FF6594D1000-memory.dmp upx behavioral1/memory/5592-2462-0x00007FF74D930000-0x00007FF74DC81000-memory.dmp upx behavioral1/memory/1460-2458-0x00007FF781D40000-0x00007FF782091000-memory.dmp upx behavioral1/memory/5572-2464-0x00007FF7B3A30000-0x00007FF7B3D81000-memory.dmp upx behavioral1/memory/6468-2463-0x00007FF73C340000-0x00007FF73C691000-memory.dmp upx behavioral1/memory/5268-2465-0x00007FF786ED0000-0x00007FF787221000-memory.dmp upx behavioral1/memory/6668-2448-0x00007FF7AD5D0000-0x00007FF7AD921000-memory.dmp upx behavioral1/memory/6580-2447-0x00007FF7C5610000-0x00007FF7C5961000-memory.dmp upx behavioral1/memory/6312-2377-0x00007FF6962E0000-0x00007FF696631000-memory.dmp upx behavioral1/memory/5764-2491-0x00007FF7A8E10000-0x00007FF7A9161000-memory.dmp upx behavioral1/memory/2812-2498-0x00007FF6C5250000-0x00007FF6C55A1000-memory.dmp upx behavioral1/memory/6840-2499-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp upx behavioral1/memory/6356-2500-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp upx behavioral1/memory/6312-2501-0x00007FF6962E0000-0x00007FF696631000-memory.dmp upx -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\AVAST Software\Avast aj9BD1.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast avg.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\AVAST Software\Avast avg.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast aj9BD1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jaf.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 228 raw.githubusercontent.com 229 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 194 api.ipify.org 195 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 aj9BD1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 7064 soles.exe 7064 soles.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4200 set thread context of 1500 4200 PurchaseOrder.exe 474 PID 5536 set thread context of 5748 5536 file.exe 761 -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\UbcBxgT.exe cobstrk.exe File created C:\Windows\System\dYClVYN.exe cobstrk.exe File created C:\Windows\System\LmopYUN.exe cobstrk.exe File created C:\Windows\System\ZgiliIu.exe cobstrk.exe File created C:\Windows\System\culSCxk.exe cobstrk.exe File created C:\Windows\System\dwfjVLY.exe cobstrk.exe File created C:\Windows\System\HqPPWyk.exe cobstrk.exe File created C:\Windows\System\wEJriFR.exe cobstrk.exe File created C:\Windows\System\UonsfGc.exe cobstrk.exe File created C:\Windows\System\DMBBKMy.exe cobstrk.exe File created C:\Windows\System\PihUOOY.exe cobstrk.exe File created C:\Windows\System\ipxMgpC.exe cobstrk.exe File created C:\Windows\System\GsrLbbf.exe cobstrk.exe File created C:\Windows\System\deohgmn.exe cobstrk.exe File created C:\Windows\System\aKpBHKY.exe cobstrk.exe File created C:\Windows\System\GKnryjc.exe cobstrk.exe File created C:\Windows\System\uCEqbTX.exe cobstrk.exe File created C:\Windows\System\mguLVKj.exe cobstrk.exe File created C:\Windows\System\ciDYLiR.exe cobstrk.exe File created C:\Windows\System\ODZKjDT.exe cobstrk.exe File created C:\Windows\System\uMkacuj.exe cobstrk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OHSHIT!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aj9BD1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aj9BD1.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Delays execution with timeout.exe 5 IoCs
pid Process 3328 timeout.exe 2444 timeout.exe 5920 timeout.exe 3896 timeout.exe 6244 timeout.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe -
Kills process with taskkill 64 IoCs
pid Process 1640 taskkill.exe 5132 taskkill.exe 6096 taskkill.exe 3900 taskkill.exe 5452 taskkill.exe 5520 taskkill.exe 4396 taskkill.exe 764 taskkill.exe 4388 taskkill.exe 2280 taskkill.exe 3568 taskkill.exe 5572 taskkill.exe 3544 taskkill.exe 2832 taskkill.exe 3048 taskkill.exe 4752 taskkill.exe 4832 taskkill.exe 2640 taskkill.exe 6056 taskkill.exe 2616 taskkill.exe 7048 taskkill.exe 4800 taskkill.exe 5144 taskkill.exe 716 taskkill.exe 2196 taskkill.exe 4008 taskkill.exe 6336 taskkill.exe 5808 taskkill.exe 5700 taskkill.exe 2656 taskkill.exe 5744 taskkill.exe 2288 taskkill.exe 1500 taskkill.exe 5996 taskkill.exe 1952 taskkill.exe 5720 taskkill.exe 4196 taskkill.exe 2636 taskkill.exe 3300 taskkill.exe 2644 taskkill.exe 1324 taskkill.exe 6340 taskkill.exe 3976 taskkill.exe 2468 taskkill.exe 540 taskkill.exe 5232 taskkill.exe 5192 taskkill.exe 2708 taskkill.exe 2064 taskkill.exe 4504 taskkill.exe 3976 taskkill.exe 220 taskkill.exe 2320 taskkill.exe 6180 taskkill.exe 7080 taskkill.exe 3720 taskkill.exe 940 taskkill.exe 1056 taskkill.exe 5608 taskkill.exe 2828 taskkill.exe 4412 taskkill.exe 5204 taskkill.exe 2020 taskkill.exe 7072 taskkill.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2240 notepad.exe 1512 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4228 msedge.exe 4228 msedge.exe 3892 msedge.exe 3892 msedge.exe 1684 msedge.exe 1684 msedge.exe 2380 powershell.exe 2380 powershell.exe 5524 powershell.exe 5524 powershell.exe 1500 RegSvcs.exe 1500 RegSvcs.exe 1500 RegSvcs.exe 5524 powershell.exe 2380 powershell.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5724 avg.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5724 avg.exe 5724 avg.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe 5660 aj9BD1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5252 g_.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5108 taskkill.exe Token: SeDebugPrivilege 2320 taskkill.exe Token: SeDebugPrivilege 4396 taskkill.exe Token: SeDebugPrivilege 2284 taskkill.exe Token: SeDebugPrivilege 4164 taskkill.exe Token: SeDebugPrivilege 4604 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 3884 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 4512 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 2828 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe Token: SeDebugPrivilege 772 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 4160 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 4700 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 3980 taskkill.exe Token: SeDebugPrivilege 4892 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 4820 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 2720 taskkill.exe Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe Token: SeDebugPrivilege 4768 taskkill.exe Token: SeDebugPrivilege 2584 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 232 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 5108 taskkill.exe Token: SeDebugPrivilege 2320 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 5092 taskkill.exe Token: SeDebugPrivilege 444 taskkill.exe Token: SeDebugPrivilege 220 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 2340 taskkill.exe Token: SeDebugPrivilege 4736 taskkill.exe Token: SeDebugPrivilege 2964 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 2092 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 2064 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 4496 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 3600 taskkill.exe Token: SeDebugPrivilege 3760 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5004 stopwatch.exe 4996 anti.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 3920 msiexec.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5004 stopwatch.exe 4996 anti.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5760 setup.exe 5724 avg.exe 5660 aj9BD1.exe 2472 OpenWith.exe 7064 soles.exe 6816 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4956 2148 P0lko.exe 88 PID 2148 wrote to memory of 4956 2148 P0lko.exe 88 PID 2148 wrote to memory of 4956 2148 P0lko.exe 88 PID 4956 wrote to memory of 1512 4956 cmd.exe 90 PID 4956 wrote to memory of 1512 4956 cmd.exe 90 PID 4956 wrote to memory of 1512 4956 cmd.exe 90 PID 4956 wrote to memory of 5004 4956 cmd.exe 91 PID 4956 wrote to memory of 5004 4956 cmd.exe 91 PID 4956 wrote to memory of 5004 4956 cmd.exe 91 PID 4956 wrote to memory of 4996 4956 cmd.exe 92 PID 4956 wrote to memory of 4996 4956 cmd.exe 92 PID 4956 wrote to memory of 4996 4956 cmd.exe 92 PID 4956 wrote to memory of 4500 4956 cmd.exe 93 PID 4956 wrote to memory of 4500 4956 cmd.exe 93 PID 4956 wrote to memory of 4500 4956 cmd.exe 93 PID 4956 wrote to memory of 5000 4956 cmd.exe 94 PID 4956 wrote to memory of 5000 4956 cmd.exe 94 PID 4956 wrote to memory of 5000 4956 cmd.exe 94 PID 4956 wrote to memory of 3444 4956 cmd.exe 96 PID 4956 wrote to memory of 3444 4956 cmd.exe 96 PID 4956 wrote to memory of 3444 4956 cmd.exe 96 PID 4956 wrote to memory of 3328 4956 cmd.exe 97 PID 4956 wrote to memory of 3328 4956 cmd.exe 97 PID 4956 wrote to memory of 3328 4956 cmd.exe 97 PID 5000 wrote to memory of 5108 5000 cmd.exe 98 PID 5000 wrote to memory of 5108 5000 cmd.exe 98 PID 5000 wrote to memory of 5108 5000 cmd.exe 98 PID 5000 wrote to memory of 2320 5000 cmd.exe 101 PID 5000 wrote to memory of 2320 5000 cmd.exe 101 PID 5000 wrote to memory of 2320 5000 cmd.exe 101 PID 5000 wrote to memory of 4396 5000 cmd.exe 102 PID 5000 wrote to memory of 4396 5000 cmd.exe 102 PID 5000 wrote to memory of 4396 5000 cmd.exe 102 PID 5000 wrote to memory of 2284 5000 cmd.exe 103 PID 5000 wrote to memory of 2284 5000 cmd.exe 103 PID 5000 wrote to memory of 2284 5000 cmd.exe 103 PID 5000 wrote to memory of 4164 5000 cmd.exe 104 PID 5000 wrote to memory of 4164 5000 cmd.exe 104 PID 5000 wrote to memory of 4164 5000 cmd.exe 104 PID 5000 wrote to memory of 4604 5000 cmd.exe 105 PID 5000 wrote to memory of 4604 5000 cmd.exe 105 PID 5000 wrote to memory of 4604 5000 cmd.exe 105 PID 5000 wrote to memory of 1640 5000 cmd.exe 106 PID 5000 wrote to memory of 1640 5000 cmd.exe 106 PID 5000 wrote to memory of 1640 5000 cmd.exe 106 PID 5000 wrote to memory of 968 5000 cmd.exe 107 PID 5000 wrote to memory of 968 5000 cmd.exe 107 PID 5000 wrote to memory of 968 5000 cmd.exe 107 PID 5000 wrote to memory of 3884 5000 cmd.exe 108 PID 5000 wrote to memory of 3884 5000 cmd.exe 108 PID 5000 wrote to memory of 3884 5000 cmd.exe 108 PID 5000 wrote to memory of 1196 5000 cmd.exe 109 PID 5000 wrote to memory of 1196 5000 cmd.exe 109 PID 5000 wrote to memory of 1196 5000 cmd.exe 109 PID 5000 wrote to memory of 4512 5000 cmd.exe 110 PID 5000 wrote to memory of 4512 5000 cmd.exe 110 PID 5000 wrote to memory of 4512 5000 cmd.exe 110 PID 5000 wrote to memory of 1084 5000 cmd.exe 111 PID 5000 wrote to memory of 1084 5000 cmd.exe 111 PID 5000 wrote to memory of 1084 5000 cmd.exe 111 PID 5000 wrote to memory of 2828 5000 cmd.exe 112 PID 5000 wrote to memory of 2828 5000 cmd.exe 112 PID 5000 wrote to memory of 2828 5000 cmd.exe 112 PID 5000 wrote to memory of 3020 5000 cmd.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2732 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\P0lko.exe"C:\Users\Admin\AppData\Local\Temp\P0lko.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\!m.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\stopwatch.exestopwatch.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\anti.exeanti.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\screenscrew.exescreenscrew.exe3⤵
- Executes dropped EXE
PID:4500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K fence.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:4196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2280
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:1392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3896
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:116
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1668
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5100
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4136
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5072
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2684
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4516
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:2288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:3544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:2280
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:4504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:2320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:3976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2100
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:4196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:3816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:3720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:64
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:2636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4868
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:3976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:3300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:1952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:2644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:64
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4024
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2704
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:3652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4192
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:3900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4632
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3520
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4256
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3524
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4164
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:64
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2088
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:2640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:2468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:1324
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2868
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:3568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2256
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:116
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4408
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:5420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:5484
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5520
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:5996
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6024
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6084
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1276
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2580
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:5808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5260
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3460
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6076
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6096
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:5132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5324
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5216
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:5452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:5504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5192
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5576
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5860
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2336
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5192
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:3048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5712
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:6108
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:3380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5912
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:5520
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5216
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:5204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:4752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5564
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:5612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:2656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:2176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:5860
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:5744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5768
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5680
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3896
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6096
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:1536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:5252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:5192
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:5752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:5780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5524
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2580
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5668
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:2708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:2616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:3328
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:2720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:4060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:5612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:4176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:5608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:4740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:5764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:7048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6892
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:1036
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:5744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6892
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6336
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:2468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:3824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:7104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:7076
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6472
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:1720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:5088
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:7160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6988
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:7072
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:7080
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:7108
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:7148
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
PID:6592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:5464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵PID:6392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵PID:6244
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 303⤵
- Delays execution with timeout.exe
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\PurchaseOrder.exePurchaseOrder.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\PurchaseOrder.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5524
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp657B.tmp"4⤵
- Scheduled Task/Job: Scheduled Task
PID:5596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
-
C:\Windows\SysWOW64\cipher.execipher /k /h /e C:\Users\Admin\Desktop\*3⤵PID:3484
-
-
C:\Windows\SysWOW64\cipher.execipher C:\Users\Admin\Desktop\*3⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\doc.html3⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x80,0x128,0x7ffd64fe46f8,0x7ffd64fe4708,0x7ffd64fe47184⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2273675752733714081,11428601412799475847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:24⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2273675752733714081,11428601412799475847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\infected.html3⤵
- Manipulates Digital Signatures
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd64fe46f8,0x7ffd64fe4708,0x7ffd64fe47184⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:24⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:14⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:14⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:14⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:14⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:14⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:14⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:14⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:14⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:14⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:14⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1280 /prefetch:24⤵PID:6148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:84⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:84⤵PID:984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:14⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:14⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:14⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:14⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:14⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:14⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:14⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8413225515403188781,10104337229207083954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:24⤵PID:3760
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\butdes.exebutdes.exe3⤵
- Executes dropped EXE
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\is-TI1LR.tmp\butdes.tmp"C:\Users\Admin\AppData\Local\Temp\is-TI1LR.tmp\butdes.tmp" /SL5="$3015E,2719719,54272,C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\butdes.exe"4⤵
- Executes dropped EXE
PID:6016
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\flydes.exeflydes.exe3⤵
- Executes dropped EXE
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\is-DFTHR.tmp\flydes.tmp"C:\Users\Admin\AppData\Local\Temp\is-DFTHR.tmp\flydes.tmp" /SL5="$30160,595662,54272,C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\flydes.exe"4⤵
- Executes dropped EXE
PID:6024
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\i.exei.exe3⤵
- Executes dropped EXE
PID:2212
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:5920
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\gx.exegx.exe3⤵
- Executes dropped EXE
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\7zS82795FD8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS82795FD8\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\7zS82795FD8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS82795FD8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6e041b54,0x6e041b60,0x6e041b6c5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5960
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5408
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x5d4f48,0x5d4f58,0x5d4f646⤵
- Executes dropped EXE
PID:6576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\bundle.exebundle.exe3⤵
- Executes dropped EXE
PID:6056
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\rckdck.exerckdck.exe3⤵
- Executes dropped EXE
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\is-6O1PT.tmp\is-QMH97.tmp"C:\Users\Admin\AppData\Local\Temp\is-6O1PT.tmp\is-QMH97.tmp" /SL4 $50212 "C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\rckdck.exe" 6123423 527364⤵
- Executes dropped EXE
PID:5580
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\avg.exeavg.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\aj9BD1.exe"C:\Users\Admin\AppData\Local\Temp\aj9BD1.exe" /relaunch=8 /was_elevated=1 /tagdata4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5660
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\telamon.exetelamon.exe3⤵
- Executes dropped EXE
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\is-CN3F0.tmp\telamon.tmp"C:\Users\Admin\AppData\Local\Temp\is-CN3F0.tmp\telamon.tmp" /SL5="$20134,1520969,918016,C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\telamon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\~execwithresult.txt""5⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe" --getuid6⤵
- Executes dropped EXE
PID:5236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\~execwithresult.txt""5⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-C2B53.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\telamon.exe6⤵
- Executes dropped EXE
PID:5576
-
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3896
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\gadget.msi"3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K des.bat3⤵
- Modifies registry class
PID:5868 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6092
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\g_.exeg_.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:5252 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5700
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\t.exet.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\g.exeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\e.exee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5236
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\GAB3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\Bootstraper.exeBootstraper.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5548
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"4⤵
- Command and Scripting Interpreter: PowerShell
PID:3408 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5652
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\SalaNses\soles.exe"C:\SalaNses\soles.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7064
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\dng.html3⤵PID:5924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd64fe46f8,0x7ffd64fe4708,0x7ffd64fe47184⤵PID:6020
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:6244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K proxy.bat3⤵PID:2852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵PID:1492
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\neurosafe.exeneurosafe.exe3⤵
- Executes dropped EXE
PID:6616
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" "C:\GAB\1571.CompositeFont"3⤵
- Opens file in notepad (likely ransom note)
PID:2240
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\GAB\1571.ini3⤵
- Opens file in notepad (likely ransom note)
PID:1512
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\1571.ttc3⤵PID:6152
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\1571.TTF3⤵
- System Location Discovery: System Language Discovery
PID:6680
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\cobstrk.execobstrk.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5764 -
C:\Windows\System\culSCxk.exeC:\Windows\System\culSCxk.exe4⤵
- Executes dropped EXE
PID:6312
-
-
C:\Windows\System\GKnryjc.exeC:\Windows\System\GKnryjc.exe4⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\System\dwfjVLY.exeC:\Windows\System\dwfjVLY.exe4⤵
- Executes dropped EXE
PID:5592
-
-
C:\Windows\System\DMBBKMy.exeC:\Windows\System\DMBBKMy.exe4⤵
- Executes dropped EXE
PID:6356
-
-
C:\Windows\System\PihUOOY.exeC:\Windows\System\PihUOOY.exe4⤵
- Executes dropped EXE
PID:6388
-
-
C:\Windows\System\uCEqbTX.exeC:\Windows\System\uCEqbTX.exe4⤵
- Executes dropped EXE
PID:6840
-
-
C:\Windows\System\mguLVKj.exeC:\Windows\System\mguLVKj.exe4⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\System\ciDYLiR.exeC:\Windows\System\ciDYLiR.exe4⤵
- Executes dropped EXE
PID:6468
-
-
C:\Windows\System\UbcBxgT.exeC:\Windows\System\UbcBxgT.exe4⤵
- Executes dropped EXE
PID:5876
-
-
C:\Windows\System\ODZKjDT.exeC:\Windows\System\ODZKjDT.exe4⤵
- Executes dropped EXE
PID:7056
-
-
C:\Windows\System\dYClVYN.exeC:\Windows\System\dYClVYN.exe4⤵
- Executes dropped EXE
PID:6252
-
-
C:\Windows\System\uMkacuj.exeC:\Windows\System\uMkacuj.exe4⤵
- Executes dropped EXE
PID:6580
-
-
C:\Windows\System\HqPPWyk.exeC:\Windows\System\HqPPWyk.exe4⤵
- Executes dropped EXE
PID:6668
-
-
C:\Windows\System\ipxMgpC.exeC:\Windows\System\ipxMgpC.exe4⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\System\wEJriFR.exeC:\Windows\System\wEJriFR.exe4⤵
- Executes dropped EXE
PID:5572
-
-
C:\Windows\System\LmopYUN.exeC:\Windows\System\LmopYUN.exe4⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\System\GsrLbbf.exeC:\Windows\System\GsrLbbf.exe4⤵
- Executes dropped EXE
PID:7064
-
-
C:\Windows\System\ZgiliIu.exeC:\Windows\System\ZgiliIu.exe4⤵
- Executes dropped EXE
PID:6672
-
-
C:\Windows\System\deohgmn.exeC:\Windows\System\deohgmn.exe4⤵
- Executes dropped EXE
PID:1460
-
-
C:\Windows\System\UonsfGc.exeC:\Windows\System\UonsfGc.exe4⤵
- Executes dropped EXE
PID:5268
-
-
C:\Windows\System\aKpBHKY.exeC:\Windows\System\aKpBHKY.exe4⤵
- Executes dropped EXE
PID:6480
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\jaf.exejaf.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\file.exefile.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:6968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5748
-
-
-
C:\Users\Admin\AppData\Local\Temp\P0lko_108b16f8-3de8-4ca7-8181-d9cba2946188\OHSHIT!.exeOHSHIT!.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7140
-
-
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵PID:708
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4068
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x3041⤵PID:3664
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:3328
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2472
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6816
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}1⤵PID:6336
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6536
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:5828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5888
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5744
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD58f64a583b0823bfc2fdf7277e67b5e16
SHA1f8029c828d0aef58f8818b866f1f7f1ec2f095b8
SHA256b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91
SHA512e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2
-
Filesize
161KB
MD528806fbbd48444f22edee13bddeef650
SHA17b28cb70206c9890e9601ee8d03236f84ed511c9
SHA25621be61ff5289c2125dbb48e2a739fd4dd98c3e58b37abfc22cc0412dd8376d95
SHA512e0867701e2f5816f5f7d889186f8db84bd92164a0e8046e464e66c700571456f4f15731f5eff7ab362dd80c4128bbf0adc926738265c64585563739bc4ac6849
-
Filesize
168KB
MD51eae8a8ffaf0e470ac7d5d762c604f85
SHA1ae2f8445227e90acb2a47b9430be7556a5c5c0cb
SHA2560e36ddf90102e476c6739ca4c8cc18ba8309d880c12558981d2e4d42de78fc00
SHA512da7e5dba0694d03d0c2ad82f5a5d2c0e929577d05e7e8e45cdf2ae39323a7a5580b7ab5129925a616022184828a160d7c290ba4acaf6cc24eaaf3223c85a38c0
-
Filesize
855KB
MD5db8929e6e713660d0b8af2b989899a49
SHA16f41ff9b68cfdc31b58cb5e3c7d60327d2364d0b
SHA256a154df0a3e31286319f9bd61bc66c2ec6aa744167f1e18f931857ca71f2cd836
SHA512982b45e12e5e3d16faf29c2cb59af0357cf1710fc724b8d2bd28cb15a3014ccdc65867ac7dae2730ec1212001ce41c73659bcf787b352e08705dda2ff2b1f2d8
-
Filesize
384KB
MD57f0a12010ba849931d03a44fd152b22b
SHA167e9360a411169c94094949514aebf4ad461d2d6
SHA25628b40950d9987ac99c3f83d73f35092618384a3dac21c8eafd5b9445db45adba
SHA512d3807326d43d474439d2a7210296d79338d1c3e9bab85aae9e81de9e7f37d502252f2b1c64bd34cc6977592831d938b1656a5b1ff80f6004b208c74f164fc9a2
-
Filesize
163KB
MD507ae95ea3bc6f15f78ee51c2f3542110
SHA1f44ffb2ba664d3c4dbb7929e3642aa746e9405b5
SHA2563cced0162ddb9e5f1e63ee1b36fd6e581c090318dce1a0af01b77f5ea9952c80
SHA5124a0fb33185481d8a2ae7d103d7c7c14ec38ebae27ae9bf069f2e69d859218f3161e9394c631af173c6b2f13befa7842394990cd867d54a858d285d890619f653
-
Filesize
517KB
MD55d35d3d2e82930db5ca1ba663d253105
SHA18d05fcc96a61ce068233dfb000b91b9436d70013
SHA256d68711c2d5a4e1c68f73d875b756073cfb4c544e77419752f3a691c66b2f3b6f
SHA512a3502042239b842e41b9af17b466d82fc01e4109432c67d4be7200c12c82c48364b88bbd9257fec77b786c858b96d0f3bf9820d253bbb05f23564cb8afd3c866
-
Filesize
256KB
MD552fd817d929def6510d54bf4bbb6d0cc
SHA186ce35b7dc34a3a447cc6e29cba085bc97071a4e
SHA2562f21a41255ddc9ec0b3bc205932cb560ccb2363d7b9a0b9289a94954047dbd35
SHA51206f3fd3adf723f2b23613ee258132a7e82ca7484cc773399207708350a8ec6da7a66b71a615e8d1174892e2f30072ffc5e490a0f38b598f41d60f9efe568418b
-
Filesize
1024KB
MD5d1c3319e4a463a74db78cf2e495f81ec
SHA1453db9ffecef6d7f2fdfc817117d64dad2fe31b1
SHA256765e94ac805f317f0c43741e5b0ba0144f5df7f2394b9997b36805de522d6ec8
SHA512e4c926fbd0820d8a032be8f83e34d8134d7327d3ccaca54bfc50fc8a76d7d25c08a6929f5442b37c7c09073ebfa798a258e8e568c1f4fb7afdf5e8abe3eb8be0
-
Filesize
246KB
MD54f371b92d85de1b884803f19aa1a08e6
SHA155d534358f1265ae1cebc98bcdd21d5c4cff1a81
SHA256c8eb98952df8a332171b2ee36c3faec5e32ebb99304e5a301d46f62f2c616935
SHA5129a3470d1bf21e9253fad811410eda9ce8ca602cd9f6344d0f3476f0365a968a8399e2c541655356f2c3c97a5850ee39d8937cb63b19a6e0a57bba303366aad09
-
Filesize
34KB
MD59e2ee65661bee40438d514fe592bfcf8
SHA1140a77e69329638a5c53dc01fbcfe0ce9ab93423
SHA256ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69
SHA5123b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612
-
Filesize
145KB
MD523ed00385dab0f612e66eb0d4ac947ab
SHA1acc115c0f9f6a25bee5ff37f8af4fdd695d8b596
SHA2566b00590bd7a52a94e9e90e35a28c1d2fa03f83f458d2f2dfbced70a9c1ea0c80
SHA5128f5d6d8f888f92be698a1d96824e3c735eb847bc8b1ae5835b9da65d4b6bb7c1690636873565e643d7ea6a19107d40e3a267c89bcfd4a896f356d90b38ecb039
-
Filesize
4KB
MD59d2bf033acde5a212f6f5404d490e169
SHA1a0e28adf40a9d06710d20071dcaba2569b91b1dd
SHA25693e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b
SHA5128dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d
-
Filesize
5KB
MD521475b17405b86f37a2c15a1df2733b3
SHA1e640903a5fa2a800a27b74c73a02ea855dcbd953
SHA2566e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc
SHA5125752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0
-
Filesize
7KB
MD5ad75fb38d57de96a18fd5fcad4a282cb
SHA12689835e7573d1ea8cfdf6ae7fd77b671baccbc7
SHA256c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb
SHA512ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2
-
Filesize
12KB
MD5dcfe71d27bf49ba16fde0d1945bfb4a2
SHA186b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1
SHA256eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811
SHA5124da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3
-
Filesize
82KB
MD55972eeea7971170eb72cab2fc85c2b17
SHA1d327d96bd78c5e851e065d053829abbb370c0c09
SHA2569677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41
SHA512c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3
-
Filesize
12KB
MD540f8022c3fe4e1cc97bb794e1b519b3f
SHA17ff107451b67b2d432db4706c697a9391c13a6f4
SHA2566b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759
SHA51208a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3
-
Filesize
5KB
MD51a3c9d80c69b655be2135fe44e309a47
SHA1d8e4f863d7b1dbc8b5e10f1f8111aa5cfac345b5
SHA256bbeb8b92164fce63cb835f59ba1ff554a0e30edf813d30477a44721030fba3f4
SHA512e9c7113ffccbd594216777d77d6c0e7568756a111cb323bf784d7169dc86fcacb7c6c340cb2596c1afa53166c5441bdf1149eddf3d99c5a9cfb9539ff2d091d2
-
Filesize
6KB
MD58a5dbabcb9b11e3e0c527b93e69d5e4d
SHA1c47add614ece5ed16ca456bac08b1f2cbaccfec9
SHA256824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241
SHA512ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0
-
Filesize
35KB
MD532aa40b05f3b9f0c3c5a519c2355fdd2
SHA191fabebe46ebd21d2ca329ce33ab7eb2e633f5ab
SHA256f5920991ef1bddb00d4ae09f844d0ba04672a5f26936567547815725a439e3fc
SHA5125b7e46d8153a42a935df33d21e8512fdc087637c1490896d27d37f405c79dc11a4c7fd1b1089cfeacb10b541d3d8842b75e204d190f10a6cebe553f0d76fd4d6
-
Filesize
957KB
MD569477e688bc7ba8aed8d51c638cdf46d
SHA11c8b1b7055d62bcfa1f39548fa4c9904d0e1865c
SHA2569ba07e98c2dfe00c7f00a44cc74da52a9818d39988a105c6af6974a63d04b9ad
SHA512fd0f8b61b27df49e5705ac46436d888f55f2905e85873278ab3e41e5cfbc72701a6324dd46b2554592e7b0c22042a5903ee6896a874d1829c0bb682d9276b880
-
Filesize
13.0MB
MD5e868c731ec770c425dbc74881b3ca936
SHA1a8dc99a2e0bc3360f8441243aab13fe7279a759a
SHA2561e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c
SHA51251bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49
-
Filesize
1.2MB
MD5acebc69ae67997867002990dae3f699d
SHA18483b45b2faaa21ad548e72fb49ae3a08143334e
SHA256f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442
SHA5126c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5373fb3a5c9ca655d5fe6e76c915a6d59
SHA1a726f77ad48f55a7148490c3840b9a15b00289c4
SHA256776db54a677376f8702ce8b2f5c40638b2a1fd86a9a8b880e868245b4157ab8f
SHA5126cadb0e87671857e643c4cdf675acfde17c50c9607ff378ddce40d37ee88f557143a435f8820091222bdeef71966752d255199dfee289ea9a074eb6c1ecccfa2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD59bd2f1200c4812c1a7da2daefcbbbbfd
SHA15874e7996a673fc492ca785f81433917a6c9f349
SHA256183cdc95a95a94d9351262386b1c67a38e1c7a75d2816592982f8f8537589385
SHA512383196c6c22895de5f157bd7b60edb3389cd31ab4e61c2772afd4e13f8204942c1a45d0d2f2a63007d3540bb6a10f132bc4e82ec9eb7eac83ac6abc3dd353046
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
4KB
MD562e3b41d6ab3ed97af3990b1a8d21d0d
SHA1aaf8d3071982e2b9ca71df1e32da1b11c083e63c
SHA25697438139cb7d3a2ce2667d427da35ad3a3894107f6a7c1537ba2ff2b481a3ebd
SHA512a42b8e9446ec2612a3cb95d5a7d90c551f13f79e09df8287d18fd0e46724ec368b712d18b89ff64cd0f0fa6d96734b8eb92f30fb0c08f2fb4cd5fadc1acb6475
-
Filesize
4KB
MD55e667bb6764e8f2dc2ab1e0434444f5e
SHA124dbd9662297bdbeefa70d3f62aa92104eb1107c
SHA25667b775203e8e2d4b3ce25b31c532fbb72e600f70640bc6e5b2d199e6cd60ebe2
SHA512fee80c40ebfd62806d352086eab442e2de329851faba695229263054ef6b17ea3794fb96d2c8c477cc98bfbd2aeb9bada85434e2260b852d6551d050bc1748f1
-
Filesize
5KB
MD5f01cded62358257edf06bc1090ac8296
SHA1b00c93406ac5729f29ec79bccd0cf3039cea0406
SHA256f80ce8ffbd0f4223a809611fdd5c271426af7bf88b87e79925a2f383731cc196
SHA51287995c02503524141fa725662a05a65cf56cc0bd153f0e3d8aff7d5525d2a94fbbb8663add5ac94e74daeb65a7e29ebc439546f1758deab2841a4da5b455ed01
-
Filesize
6KB
MD540c6b8247565d31f3b9bfbb44fbb6407
SHA1c0583110adad4938f3dc26ade297a03653b533ba
SHA2566255b7ba6a2e856bc53ed61d82da0372221e815aa8dafac4075e4c5c99180a11
SHA512aca9395bb0833be9baa5c5521ab698a05825d85abdb451055b7eaa62b4e64170ae5f9861a6265bb6a53c8fbed3a921d645ebc157ecf475e8d01b853e9e3a1354
-
Filesize
6KB
MD53bdb05ec5044c711c91f4c99548d324e
SHA10ded83e5d3056f9cc8c63d313286e4c4ec748004
SHA256a7a07c277d7a13d93b5af7f26a15d141b04349a7903b349170c4e3ef2ff42bb7
SHA5121505f9bf0a28eac6ecebf01613649d0a5712b765dbfc10036ed58984353aa087c4bacd46fd3e624a7e58cde976456255cf6b088c4fe96f9cd540dea0242c13df
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5256433d8756aa068803ed089e74b5a3a
SHA1ef57657ec7d707724581722395c0c4e1971c51cb
SHA2560f54c5bc7825e4940877da6b4b97b14c898d457f079bbd42c9d37aa9a3fae736
SHA512fe4599907c4be65edb3f1b2a164cec0c176de49a052f39428500b9b289a26782b89b982229936098f41988d6d1eea37c7a18e74f633ee9e6b53e3cc31957aaf4
-
Filesize
10KB
MD5a31b501c3c44d10d681be54052aaba06
SHA105545756204c6675c1d03c9c68c2e47d68cac014
SHA2565f5b71cf7c7f00411e8cd24d1539f49b32f46c4c2edf1d1673bbc735d9f35a59
SHA512c93667c58470823db505baa58ba81c7b78585bd07aa62b51e5dc40921139664b2c0ca313d7031f2439b386b1ca13bf0536ffce8a36a88e2e6d8a61f3dba7878f
-
Filesize
10KB
MD5887810ffe3010ce05c0bf9fcf68748fa
SHA199b41744f44544adf674316bf1496afb6f21138a
SHA256bb8ede248bfbcac74369eaa032ae75bb2400a9d61ec2db2066c1d087d04047ae
SHA51201f1a7ab9dd08c49d5ac8a936fe4d9fb51257e29207039369b64d1f5867412bc2c0c7536d832e59e1bf9439a55930f4b4fd45300a840e22709c6f28f95f7b9d1
-
Filesize
18KB
MD51bfe6449c7599516d8c3a4d5574654d4
SHA12e2213e92f45116b2fc846679da8cdcb7ef4184b
SHA2562bf2c4dd24e6772acf71eebe5b0b3f5b161368c1a1e02eaae646ea0654f0f199
SHA5123ef55af983f8ed8018e94a7caea7131d649a12125c8f6944bf59023a8737b216209225eba456cb7d4fa511a456a096f38722d425463e86bbc10aed8ee1a639ad
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409131803591\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
6.4MB
MD5defd30ea336650cc29c0c79fad6fa6b5
SHA1935d871ed86456c6dd3c83136dc2d1bda5988ff3
SHA256015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4
SHA5128c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54
-
Filesize
5.9MB
MD5640ed3115c855d32ee1731c54702eab7
SHA11ac749b52794cbadfec8d9219530e9a79fc9427c
SHA25629b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3
SHA512bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53
-
Filesize
1KB
MD561b00fa9f8f30bb8324ca1a5fd042c73
SHA144afb5a0f288d8baeb0f667ca7e978e48174e36c
SHA2567cf9aa4c080eac793113afce38a5c8081d19c51f68955ed06ebba73de7509b51
SHA5123db8cb8fe6f60b0424217cb50a409b5943e498313c6f8fbeb1074e945dfb92053313509235d5f13f98edbf0cf76bb9aefb0d810fcd51fbe9e4e52b9162135e2f
-
Filesize
934KB
MD5f7f32729079353000cd97b90aa314cc1
SHA121dbddeea2b634263c8fbf0d6178a9751d2467b8
SHA2568e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212
SHA5122c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847
-
Filesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
Filesize
5.8MB
MD50dc93e1f58cbb736598ce7fa7ecefa33
SHA16e539aab5faf7d4ce044c2905a9c27d4393bae30
SHA2564ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36
SHA51273617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff
-
Filesize
429KB
MD5ae4581af98a5b38bce860f76223cb7c9
SHA16aa1e2cce517e5914a47816ef8ca79620e50e432
SHA2567c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267
SHA51211ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
4KB
MD5016bf2cf2bad527f1f1ea557408cb036
SHA123ab649b9fb99da8db407304ce9ca04f2b50c7b4
SHA25617bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0
SHA512ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7
-
Filesize
15KB
MD55622e7755e5f6585a965396b0d528475
SHA1b059dc59658822334e39323b37082374e8eeaac4
SHA256080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147
SHA51262f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e
-
Filesize
8KB
MD501a5131931ef35acecbe557ba13f3954
SHA1c7afc7590d469432704d963ffcee31ad8bcfc175
SHA256d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0
SHA512ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e
-
Filesize
5KB
MD5e0c7cc30d8f9a3cf0140bf838198571b
SHA12494a9ab234b90ff0a3cc2dbc152483fb540afd3
SHA25673bb7f4a70650054fb42f4c7ab85d9a683253a0df26703ecd4a2bb3155d93cb4
SHA5127b87a3296fd984d89dacfa70bdc274ed9faf553c3e086d3e865ed7a2e55f92fbb55bd270a5863ebb6b95f3ce26d321b5936665741300676863f40111b95a6e75
-
Filesize
167B
MD56465a5431e01a80bf71aca9e9698e5b0
SHA1d56ed108f13a6c49d57f05e2bf698778fd0b98dc
SHA2561c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f
SHA512db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55
-
Filesize
833KB
MD5b401505e8008994bf2a14fdf0deac874
SHA1e4f7f375b1e88dd71a0274a997ed5d9491bde068
SHA2566bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41
SHA5121bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11
-
Filesize
12KB
MD5c4d9d3cd21ef4de91abc95f99c4bc7dc
SHA1b2cf457237c44c824068727b8440fe6a352a360c
SHA2566fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9
SHA512d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7
-
Filesize
3.1MB
MD580bf3bf3b76c80235d24f7c698239089
SHA17f6071b502df985580e7c469c6d092472e355765
SHA2562b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2
SHA512076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a
-
Filesize
12KB
MD5cea5426da515d43c88132a133f83ce68
SHA10c224d0bb777f1e3b186fdf58cc82860d96805cc
SHA2562be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78
SHA5124c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c
-
Filesize
13KB
MD549f4fe0c8646909c7cf87adf68d896fd
SHA19193264c38e5ed9fa0f5be1d79f802cf946a74cf
SHA2569292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec
SHA5129df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e
-
Filesize
972B
MD5f48be9db7436f1c53508f1ad70064459
SHA116b20d3933cc6398859f1334a848982cccfd8501
SHA256f79460fad80962fabe51f271a2ad33fd54c418fbb0a8646c1d78654696d7d7b2
SHA512c7870b4fd16827817fa16c68f9d1a51270cfd9dc052861977a12ffcbc91a1668c82f168f8b33661d68579cfed766e15d0e436794d0eed164946eb9927355b638
-
Filesize
32KB
MD5e40209599b592630dcac551daeb6b849
SHA1851150b573f94f07e459c320d72505e52c3e74f0
SHA2563c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be
SHA5126da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2
-
Filesize
6.2MB
MD5a79fb1a90fb3d92cf815f2c08d3ade6d
SHA125e5e553af5e2d21b5cfc70ba41afb65202f6fd5
SHA25643759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16
SHA51282aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd
-
Filesize
111KB
MD5e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
Filesize
68KB
MD5338a4b68d3292aa22049a22e9292e2a2
SHA19595e6f6d5e18a3e71d623ac4012e7633b020b29
SHA256490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f
SHA51206bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5
-
Filesize
2.3MB
MD56a80889e81911157ca27df5bc5ac2e09
SHA102ac28dd7124317e294fac847a05b69411c9cdb2
SHA2560b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff
SHA512329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
659KB
MD55aa68bb2bf3b994bda93834ad34e7963
SHA10156732d5dd48feacfab3aa07764061d73b9116c
SHA256a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa
SHA512e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7
-
Filesize
3.1MB
MD5292d91bef15a5a5d5f5c06425a96e0ee
SHA15f4400c94ceebf54825e94cb5d9f616850331e96
SHA256b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373
SHA5120aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
124KB
MD5faad66061f9296123fa1e9de4b971bf0
SHA1720e8676c3abca9eb98b815635656fefe9507fe5
SHA25696d65a33b97b640693e6d150f3ef36e9e487e2683f9ecd8554841c99e92bab2e
SHA512ad577dc4991573d152438ca803a57d80ad9b030afb802e828af10154d9d5988aaf750d0165ee4fac139c08abf7cf3581b3642082e4b98efcfbe41cd9186bad9a
-
Filesize
5.0MB
MD5c822ad3a46e58afab84d23614a08e0bc
SHA1196f257903ccefa439dc673690c6910356bd1d81
SHA256a8dc0fe0bcf7f1553cf0f530f88b38f033b914170d71df05f84093498d82d438
SHA512bc5da3bac510289c47d7c835ae6dd50fe96f64e1f522ac930be451cd9e47c5d395b5ff463f9b4aee33b98785f1bd4eec6a0d321962ecbc60e2eb5a0d66c735d2
-
Filesize
2.1MB
MD5d21ae3f86fc69c1580175b7177484fa7
SHA12ed2c1f5c92ff6daa5ea785a44a6085a105ae822
SHA256a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450
SHA512eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f
-
Filesize
126KB
MD52597a829e06eb9616af49fcd8052b8bd
SHA1871801aba3a75f95b10701f31303de705cb0bc5a
SHA2567359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87
SHA5128e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35
-
Filesize
195KB
MD534939c7b38bffedbf9b9ed444d689bc9
SHA181d844048f7b11cafd7561b7242af56e92825697
SHA256b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0
SHA512bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953
-
Filesize
127KB
MD52027121c3cdeb1a1f8a5f539d1fe2e28
SHA1bcf79f49f8fc4c6049f33748ded21ec3471002c2
SHA2561dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1
SHA5125b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c
-
Filesize
36KB
MD5f840a9ddd319ee8c3da5190257abde5b
SHA13e868939239a5c6ef9acae10e1af721e4f99f24b
SHA256ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a
SHA5128e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a
-
Filesize
93KB
MD57b4bd3b8ad6e913952f8ed1ceef40cd4
SHA1b15c0b90247a5066bd06d094fa41a73f0f931cb8
SHA256a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754
SHA512d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2
-
Filesize
1KB
MD57f0c8f4604502150d6f70eced4def682
SHA1b08536c8afcbd0f0da0a25e9e0de944932df1d0d
SHA2564e7ace988006ce289c939cbc80e9ef541fec8496702a5de639eca195d403bde4
SHA5120549eadedd37109f1a549dd9d2f61b3ce043a4cecb59fdb8758e2677f64c101f41b5672f40162c7b4b75b3eccd08170774be60f39cce82da997e8713c98d9cf0
-
Filesize
5.2MB
MD5e9876ee9f16cacf70b9bfa86817d15ed
SHA1dec6ab0d0f2e9fdbb5c280fb0e58021a8ef7452f
SHA25674c1803884cb1add8b657bf71b6252920e803d34eb95772c6d98f5151058464c
SHA512478144c2401d877ac15184662ec6f13ce714c89ea488432df7d418788ea48cfaf1562aad87739fe7399f0dd306f35bca1ad62784930ff27067c887806685c5d4