agenttesla | d6e71815c4403aa5088ae589e2ee00a7182bbd470dac0934d6cf3c15427ec8fa

Resubmissions

21-09-2024 11:24

240921-nh2amazcjb 10

Analysis

max time kernel
34s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe
Size

59.1MB
MD5

3c0086e9a2673adca00e903795ded6b4
SHA1

f39a8ac3a16d7723b2a1e91cd4ed0ebd491ca2a3
SHA256

08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53
SHA512

bb708052eea814a90fd3e356933bc144a59fbc4d8b1975b67c8297514ac75d01a6f54e11cc3cf996624e46a49c95a7c82995ee1ee3dda81c7f03639a6071a42b
SSDEEP

1572864:yLOrJXzVU0mzSuu2etPQiWmoh8rbu8CQG2Y:yLqJXBU0/uu3IDmnrbRY

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 aspackv2 backdoor discovery evasion execution keylogger miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0018000000022a8e-2404.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\eyplorer.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2264-2399-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/2264-2398-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6308-2520-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 22 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/6764-2431-0x00007FF671200000-0x00007FF671551000-memory.dmp	xmrig
behavioral2/memory/5476-2481-0x00007FF7B59C0000-0x00007FF7B5D11000-memory.dmp	xmrig
behavioral2/memory/4532-2478-0x00007FF6C6B60000-0x00007FF6C6EB1000-memory.dmp	xmrig
behavioral2/memory/6916-2484-0x00007FF6688E0000-0x00007FF668C31000-memory.dmp	xmrig
behavioral2/memory/3260-2485-0x00007FF66F7D0000-0x00007FF66FB21000-memory.dmp	xmrig
behavioral2/memory/5256-2490-0x00007FF6A4380000-0x00007FF6A46D1000-memory.dmp	xmrig
behavioral2/memory/6148-2491-0x00007FF625ED0000-0x00007FF626221000-memory.dmp	xmrig
behavioral2/memory/6776-2492-0x00007FF6B5470000-0x00007FF6B57C1000-memory.dmp	xmrig
behavioral2/memory/2268-2489-0x00007FF6CBD60000-0x00007FF6CC0B1000-memory.dmp	xmrig
behavioral2/memory/4556-2488-0x00007FF70F070000-0x00007FF70F3C1000-memory.dmp	xmrig
behavioral2/memory/1776-2483-0x00007FF6FFFB0000-0x00007FF700301000-memory.dmp	xmrig
behavioral2/memory/6120-2472-0x00007FF676340000-0x00007FF676691000-memory.dmp	xmrig
behavioral2/memory/6636-2463-0x00007FF610130000-0x00007FF610481000-memory.dmp	xmrig
behavioral2/memory/4404-2447-0x00007FF6024A0000-0x00007FF6027F1000-memory.dmp	xmrig
behavioral2/memory/6316-2519-0x00007FF7A6E90000-0x00007FF7A71E1000-memory.dmp	xmrig
behavioral2/memory/2132-2521-0x00007FF7B4280000-0x00007FF7B45D1000-memory.dmp	xmrig
behavioral2/memory/6160-2523-0x00007FF78B310000-0x00007FF78B661000-memory.dmp	xmrig
behavioral2/memory/6660-2524-0x00007FF768C90000-0x00007FF768FE1000-memory.dmp	xmrig
behavioral2/memory/6240-2527-0x00007FF67C170000-0x00007FF67C4C1000-memory.dmp	xmrig
behavioral2/memory/740-2528-0x00007FF625D60000-0x00007FF6260B1000-memory.dmp	xmrig
behavioral2/memory/6432-2529-0x00007FF6E8F00000-0x00007FF6E9251000-memory.dmp	xmrig
behavioral2/memory/6336-2530-0x00007FF6E9450000-0x00007FF6E97A1000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2832	powershell.exe
5424	powershell.exe
6408	powershell.exe
6400	powershell.exe
6392	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
5432	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023475-97.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

i.exestopwatch.exeanti.exeneurosafe.exescreenscrew.exePurchaseOrder.exe

pid	Process
2664	i.exe
1640	stopwatch.exe
4984	anti.exe
3620	neurosafe.exe
2600	screenscrew.exe
860	PurchaseOrder.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/6316-2392-0x00007FF7A6E90000-0x00007FF7A71E1000-memory.dmp	upx
behavioral2/files/0x0018000000022a8e-2404.dat	upx
behavioral2/memory/6764-2431-0x00007FF671200000-0x00007FF671551000-memory.dmp	upx
behavioral2/memory/6240-2448-0x00007FF67C170000-0x00007FF67C4C1000-memory.dmp	upx
behavioral2/memory/6432-2465-0x00007FF6E8F00000-0x00007FF6E9251000-memory.dmp	upx
behavioral2/memory/5476-2481-0x00007FF7B59C0000-0x00007FF7B5D11000-memory.dmp	upx
behavioral2/memory/4532-2478-0x00007FF6C6B60000-0x00007FF6C6EB1000-memory.dmp	upx
behavioral2/memory/6916-2484-0x00007FF6688E0000-0x00007FF668C31000-memory.dmp	upx
behavioral2/memory/3260-2485-0x00007FF66F7D0000-0x00007FF66FB21000-memory.dmp	upx
behavioral2/memory/5256-2490-0x00007FF6A4380000-0x00007FF6A46D1000-memory.dmp	upx
behavioral2/memory/6148-2491-0x00007FF625ED0000-0x00007FF626221000-memory.dmp	upx
behavioral2/memory/6776-2492-0x00007FF6B5470000-0x00007FF6B57C1000-memory.dmp	upx
behavioral2/memory/2268-2489-0x00007FF6CBD60000-0x00007FF6CC0B1000-memory.dmp	upx
behavioral2/memory/4556-2488-0x00007FF70F070000-0x00007FF70F3C1000-memory.dmp	upx
behavioral2/memory/1776-2483-0x00007FF6FFFB0000-0x00007FF700301000-memory.dmp	upx
behavioral2/memory/6120-2472-0x00007FF676340000-0x00007FF676691000-memory.dmp	upx
behavioral2/memory/6336-2471-0x00007FF6E9450000-0x00007FF6E97A1000-memory.dmp	upx
behavioral2/memory/740-2466-0x00007FF625D60000-0x00007FF6260B1000-memory.dmp	upx
behavioral2/memory/6636-2463-0x00007FF610130000-0x00007FF610481000-memory.dmp	upx
behavioral2/memory/4404-2447-0x00007FF6024A0000-0x00007FF6027F1000-memory.dmp	upx
behavioral2/memory/6660-2428-0x00007FF768C90000-0x00007FF768FE1000-memory.dmp	upx
behavioral2/memory/6160-2424-0x00007FF78B310000-0x00007FF78B661000-memory.dmp	upx
behavioral2/memory/2132-2418-0x00007FF7B4280000-0x00007FF7B45D1000-memory.dmp	upx
behavioral2/memory/6316-2519-0x00007FF7A6E90000-0x00007FF7A71E1000-memory.dmp	upx
behavioral2/memory/2132-2521-0x00007FF7B4280000-0x00007FF7B45D1000-memory.dmp	upx
behavioral2/memory/6160-2523-0x00007FF78B310000-0x00007FF78B661000-memory.dmp	upx
behavioral2/memory/6660-2524-0x00007FF768C90000-0x00007FF768FE1000-memory.dmp	upx
behavioral2/memory/6240-2527-0x00007FF67C170000-0x00007FF67C4C1000-memory.dmp	upx
behavioral2/memory/740-2528-0x00007FF625D60000-0x00007FF6260B1000-memory.dmp	upx
behavioral2/memory/6432-2529-0x00007FF6E8F00000-0x00007FF6E9251000-memory.dmp	upx
behavioral2/memory/6336-2530-0x00007FF6E9450000-0x00007FF6E97A1000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
228	raw.githubusercontent.com
229	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
195	api.ipify.org
196	api.ipify.org

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exetaskkill.exetaskkill.exetaskkill.exeanti.execipher.exetimeout.exetaskkill.exetaskkill.exetaskkill.execmd.exereg.exetaskkill.exetaskkill.exestopwatch.exereg.exetaskkill.exescreenscrew.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exereg.exeexplorer.exePurchaseOrder.exetaskkill.exereg.exeneurosafe.exetaskkill.exe08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exechcp.comtaskkill.exetaskkill.execipher.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stopwatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurchaseOrder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neurosafe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 5 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
4808	timeout.exe
3868	timeout.exe
1624	timeout.exe
5816	timeout.exe
5152	timeout.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1112	taskkill.exe
5768	taskkill.exe
5696	taskkill.exe
6128	taskkill.exe
3916	taskkill.exe
4196	taskkill.exe
2412	taskkill.exe
5316	taskkill.exe
5600	taskkill.exe
6140	taskkill.exe
5436	taskkill.exe
3188	taskkill.exe
2204	taskkill.exe
3792	taskkill.exe
1604	taskkill.exe
3096	taskkill.exe
7064	taskkill.exe
1592	taskkill.exe
6104	taskkill.exe
3716	taskkill.exe
5624	taskkill.exe
3280	taskkill.exe
2240	taskkill.exe
5716	taskkill.exe
5376	taskkill.exe
4388	taskkill.exe
5776	taskkill.exe
5540	taskkill.exe
6140	taskkill.exe
1644	taskkill.exe
5360	taskkill.exe
4436	taskkill.exe
2516	taskkill.exe
5800	taskkill.exe
5828	taskkill.exe
4972	taskkill.exe
3188	taskkill.exe
1572	taskkill.exe
5764	taskkill.exe
5640	taskkill.exe
3596	taskkill.exe
5484	taskkill.exe
1624	taskkill.exe
2832	taskkill.exe
5640	taskkill.exe
5016	taskkill.exe
6732	taskkill.exe
6780	taskkill.exe
3768	taskkill.exe
1280	taskkill.exe
5540	taskkill.exe
1412	taskkill.exe
2364	taskkill.exe
920	taskkill.exe
6000	taskkill.exe
5336	taskkill.exe
1112	taskkill.exe
6408	taskkill.exe
1720	taskkill.exe
4904	taskkill.exe
3836	taskkill.exe
6468	taskkill.exe
5780	taskkill.exe
3200	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 14 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

notepad.exeNOTEPAD.EXE

pid	Process
6604	notepad.exe
6232	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
5620	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
3784	explorer.exe
4428	explorer.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

AUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: 33	2604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2604	AUDIODG.EXE
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

stopwatch.exeanti.exeefsui.exe

pid	Process
1640	stopwatch.exe
4984	anti.exe
2904	efsui.exe
2904	efsui.exe
2904	efsui.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

stopwatch.exeanti.exeefsui.exe

pid	Process
1640	stopwatch.exe
4984	anti.exe
2904	efsui.exe
2904	efsui.exe
2904	efsui.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
3784	explorer.exe
3784	explorer.exe
4428	explorer.exe
4428	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.execmd.execmd.exe

description	pid	Process	procid_target
PID 1868 wrote to memory of 2200	1868	08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe	82
PID 1868 wrote to memory of 2200	1868	08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe	82
PID 1868 wrote to memory of 2200	1868	08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe	82
PID 2200 wrote to memory of 3324	2200	cmd.exe	84
PID 2200 wrote to memory of 3324	2200	cmd.exe	84
PID 2200 wrote to memory of 3324	2200	cmd.exe	84
PID 2200 wrote to memory of 2664	2200	cmd.exe	85
PID 2200 wrote to memory of 2664	2200	cmd.exe	85
PID 2200 wrote to memory of 1640	2200	cmd.exe	86
PID 2200 wrote to memory of 1640	2200	cmd.exe	86
PID 2200 wrote to memory of 1640	2200	cmd.exe	86
PID 2200 wrote to memory of 4984	2200	cmd.exe	87
PID 2200 wrote to memory of 4984	2200	cmd.exe	87
PID 2200 wrote to memory of 4984	2200	cmd.exe	87
PID 2200 wrote to memory of 4972	2200	cmd.exe	89
PID 2200 wrote to memory of 4972	2200	cmd.exe	89
PID 2200 wrote to memory of 4972	2200	cmd.exe	89
PID 2200 wrote to memory of 1360	2200	cmd.exe	90
PID 2200 wrote to memory of 1360	2200	cmd.exe	90
PID 2200 wrote to memory of 1360	2200	cmd.exe	90
PID 2200 wrote to memory of 4868	2200	cmd.exe	91
PID 2200 wrote to memory of 4868	2200	cmd.exe	91
PID 2200 wrote to memory of 4868	2200	cmd.exe	91
PID 2200 wrote to memory of 4416	2200	cmd.exe	92
PID 2200 wrote to memory of 4416	2200	cmd.exe	92
PID 2200 wrote to memory of 4416	2200	cmd.exe	92
PID 2200 wrote to memory of 3620	2200	cmd.exe	93
PID 2200 wrote to memory of 3620	2200	cmd.exe	93
PID 2200 wrote to memory of 3620	2200	cmd.exe	93
PID 2200 wrote to memory of 728	2200	cmd.exe	94
PID 2200 wrote to memory of 728	2200	cmd.exe	94
PID 2200 wrote to memory of 728	2200	cmd.exe	94
PID 2200 wrote to memory of 4808	2200	cmd.exe	96
PID 2200 wrote to memory of 4808	2200	cmd.exe	96
PID 2200 wrote to memory of 4808	2200	cmd.exe	96
PID 2200 wrote to memory of 5108	2200	cmd.exe	107
PID 2200 wrote to memory of 5108	2200	cmd.exe	107
PID 2200 wrote to memory of 5108	2200	cmd.exe	107
PID 2200 wrote to memory of 2600	2200	cmd.exe	108
PID 2200 wrote to memory of 2600	2200	cmd.exe	108
PID 2200 wrote to memory of 2600	2200	cmd.exe	108
PID 2200 wrote to memory of 860	2200	cmd.exe	110
PID 2200 wrote to memory of 860	2200	cmd.exe	110
PID 2200 wrote to memory of 860	2200	cmd.exe	110
PID 2200 wrote to memory of 4268	2200	cmd.exe	111
PID 2200 wrote to memory of 4268	2200	cmd.exe	111
PID 2200 wrote to memory of 4268	2200	cmd.exe	111
PID 5108 wrote to memory of 4436	5108	cmd.exe	113
PID 5108 wrote to memory of 4436	5108	cmd.exe	113
PID 5108 wrote to memory of 4436	5108	cmd.exe	113
PID 2200 wrote to memory of 3280	2200	cmd.exe	136
PID 2200 wrote to memory of 3280	2200	cmd.exe	136
PID 2200 wrote to memory of 3280	2200	cmd.exe	136
PID 5108 wrote to memory of 892	5108	cmd.exe	147
PID 5108 wrote to memory of 892	5108	cmd.exe	147
PID 5108 wrote to memory of 892	5108	cmd.exe	147
PID 5108 wrote to memory of 3864	5108	cmd.exe	169
PID 5108 wrote to memory of 3864	5108	cmd.exe	169
PID 5108 wrote to memory of 3864	5108	cmd.exe	169
PID 5108 wrote to memory of 3188	5108	cmd.exe	118
PID 5108 wrote to memory of 3188	5108	cmd.exe	118
PID 5108 wrote to memory of 3188	5108	cmd.exe	118
PID 5108 wrote to memory of 2240	5108	cmd.exe	149
PID 5108 wrote to memory of 2240	5108	cmd.exe	149

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
5432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe
"C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\!m.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    reg import font.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    reg import eee.reg
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    reg import nosearch.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\neurosafe.exe
    neurosafe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    reg import color.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 30
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4436
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:7108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:7064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:7056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:7148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6000
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5424
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3275.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\doc.html
    3⤵
    PID:2716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d36046f8,0x7ff9d3604708,0x7ff9d3604718
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1481797456484841031,80279101411333861,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:4672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1481797456484841031,80279101411333861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:1472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\infected.html
    3⤵
    PID:620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d36046f8,0x7ff9d3604708,0x7ff9d3604718
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:3864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:4340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
      4⤵
      PID:2368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4853676653882868836,7000699186403037927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
      4⤵
      PID:6380
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\butdes.exe
    butdes.exe
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\is-JMOKJ.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JMOKJ.tmp\butdes.tmp" /SL5="$201A6,2719719,54272,C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\butdes.exe"
      4⤵
      PID:5512
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\flydes.exe
    flydes.exe
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\is-FQFRK.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FQFRK.tmp\flydes.tmp" /SL5="$40180,595662,54272,C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\flydes.exe"
      4⤵
      PID:968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\gx.exe
    gx.exe
    3⤵
    PID:5660
  - - C:\Users\Admin\AppData\Local\Temp\7zSC162CA08\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSC162CA08\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\7zSC162CA08\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC162CA08\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6e631b54,0x6e631b60,0x6e631b6c
        5⤵
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        
        PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        
        PID:5216
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x794f48,0x794f58,0x794f64
        6⤵
        
        PID:5204
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\bundle.exe
    bundle.exe
    3⤵
    PID:5424
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\rckdck.exe
    rckdck.exe
    3⤵
    PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\is-7H23C.tmp\is-LMEU0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7H23C.tmp\is-LMEU0.tmp" /SL4 $300FE "C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\rckdck.exe" 6123423 52736
      4⤵
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\avg.exe
    avg.exe
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\aj68AB.exe
      "C:\Users\Admin\AppData\Local\Temp\aj68AB.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\telamon.exe
    telamon.exe
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\is-K80GS.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K80GS.tmp\telamon.tmp" /SL5="$1033A,1520969,918016,C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\telamon.exe"
      4⤵
      PID:5700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\~execwithresult.txt""
        5⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe" --getuid
        6⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\~execwithresult.txt""
        5⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3D5DA.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\telamon.exe
        6⤵
        
        PID:5552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5816
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\gadget.msi"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\g_.exe
    g_.exe
    3⤵
    PID:5308
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\t.exe
    t.exe
    3⤵
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\g.exe
    g.exe
    3⤵
    PID:5816
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\e.exe
    e.exe
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5432
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\Bootstraper.exe
    Bootstraper.exe
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6408
  - - C:\SalaNses\soles.exe
      "C:\SalaNses\soles.exe"
      4⤵
      PID:6064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\dng.html
    3⤵
    PID:2412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d36046f8,0x7ff9d3604708,0x7ff9d3604718
      4⤵
      PID:6204
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:6944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:7060
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\29853.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6604
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\29853.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6232
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\29853.ttc
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\29853.TTF
    3⤵
    PID:6440
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\cobstrk.exe
    cobstrk.exe
    3⤵
    PID:6316
  - - C:\Windows\System\ggBpPJY.exe
      C:\Windows\System\ggBpPJY.exe
      4⤵
      PID:2132
  - - C:\Windows\System\ZbJmOvt.exe
      C:\Windows\System\ZbJmOvt.exe
      4⤵
      PID:6160
  - - C:\Windows\System\NbUhggs.exe
      C:\Windows\System\NbUhggs.exe
      4⤵
      PID:6636
  - - C:\Windows\System\uUVZsyR.exe
      C:\Windows\System\uUVZsyR.exe
      4⤵
      PID:6660
  - - C:\Windows\System\mFMwsYb.exe
      C:\Windows\System\mFMwsYb.exe
      4⤵
      PID:6764
  - - C:\Windows\System\tMdHOlV.exe
      C:\Windows\System\tMdHOlV.exe
      4⤵
      PID:4404
  - - C:\Windows\System\WqtxmFj.exe
      C:\Windows\System\WqtxmFj.exe
      4⤵
      PID:6240
  - - C:\Windows\System\ZryqWPe.exe
      C:\Windows\System\ZryqWPe.exe
      4⤵
      PID:6432
  - - C:\Windows\System\OoEVpAP.exe
      C:\Windows\System\OoEVpAP.exe
      4⤵
      PID:740
  - - C:\Windows\System\VzKCTGs.exe
      C:\Windows\System\VzKCTGs.exe
      4⤵
      PID:5256
  - - C:\Windows\System\LcnuQjQ.exe
      C:\Windows\System\LcnuQjQ.exe
      4⤵
      PID:6148
  - - C:\Windows\System\xYLshuG.exe
      C:\Windows\System\xYLshuG.exe
      4⤵
      PID:6336
  - - C:\Windows\System\vOxgTkw.exe
      C:\Windows\System\vOxgTkw.exe
      4⤵
      PID:6120
  - - C:\Windows\System\sqfHDwD.exe
      C:\Windows\System\sqfHDwD.exe
      4⤵
      PID:4532
  - - C:\Windows\System\tGeDddC.exe
      C:\Windows\System\tGeDddC.exe
      4⤵
      PID:3260
  - - C:\Windows\System\MhbpMeT.exe
      C:\Windows\System\MhbpMeT.exe
      4⤵
      PID:5476
  - - C:\Windows\System\zUuZYXh.exe
      C:\Windows\System\zUuZYXh.exe
      4⤵
      PID:4556
  - - C:\Windows\System\vZxluui.exe
      C:\Windows\System\vZxluui.exe
      4⤵
      PID:2268
  - - C:\Windows\System\ZGeWvsD.exe
      C:\Windows\System\ZGeWvsD.exe
      4⤵
      PID:6776
  - - C:\Windows\System\aZTsepX.exe
      C:\Windows\System\aZTsepX.exe
      4⤵
      PID:1776
  - - C:\Windows\System\hpYMpbX.exe
      C:\Windows\System\hpYMpbX.exe
      4⤵
      PID:6916
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\jaf.exe
    jaf.exe
    3⤵
    PID:6308
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\file.exe
    file.exe
    3⤵
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg import oobe.reg
    3⤵
    PID:7108
- - C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\OHSHIT!.exe
    OHSHIT!.exe
    3⤵
    PID:4536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\29853.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\29853.TTF

Filesize
165KB

MD5
46a487fac371a24f881b191de1f32e5b

SHA1
388409434b108e9a2bb758f4b2f398498d8a041a

SHA256
c3ecf415d53c7f90f5083ff2c240bb17391b68dc3d9c8b6d1af39d4641581752

SHA512
c71da7bfa9a86487104620f35653370e06b5afc80b33edc7ec1f4273cf3a9afa6af5d1a884a59e561b6785a63d56d4a77b7b5b129f61b568f2e17274c4a6e5ba

Download Submit
C:\GAB\29853.TTF

Filesize
256KB

MD5
222f59832e817148b104b4693635aa60

SHA1
6cdcb29261945f6faabaa1975ffe11340ee43d85

SHA256
ee446842cf731ac5801e460d539564f96d7e76bb2400bcc69233a1dc3359c011

SHA512
e283edab0ff8f9d874a95348321e46c858be9fd839c3e6d609001436381084a81cbbde40539f3772f86317a67c381d8833fe2882b37d4e50bade97555dacf1ef

Download Submit
C:\GAB\29853.TTF

Filesize
128KB

MD5
c0c47068ee501d79f5fbe0af80be6b96

SHA1
7b4137c9d2181221a9db41f64a903e98dda1afea

SHA256
14ae91bb1d852e07667b1c56c5583e37a9479326f5495f4d3edc2f5e33ed357b

SHA512
7984249ff5934566cec07e055b47af53f015d42121dcd77bfe4fc93a3711cad132575f89f6a97f51cb4a180523830f879f69a2d14dec591ec1424082d29e9e18

Download Submit
C:\GAB\29853.TTF

Filesize
282KB

MD5
e7967f8efafafaadcf3db1e09cffce45

SHA1
42c72af4bc6d6f9076073567d1654c7c64db25de

SHA256
707585b9acfc1507d9bd943bb5435f75768274b1a12b1f71de76ad78be4d7e7b

SHA512
4bac5ea1c5f909a07664b5365a0eadf567ce5ede65ece262c45f285946276b7cbce83729f7830f1e3d8c8d0fbd15c63e6508e2e588843427011f58895980de64

Download Submit
C:\GAB\29853.TTF

Filesize
5.5MB

MD5
d78cba52bb14a26d51779f06bccd9329

SHA1
b26df0e00e6aaf204bea0d3f8abf1dc4b3faada1

SHA256
7b5a3bbcc29a08546e65a1033bf7767bd1d0d032aff604cdfd5495e06d073be0

SHA512
0fb324cbecc41742184bf36913f413e9e0587dfbde86d6c11e10e648db76e5dc76fc6d7bb5dbda901ba1a7fd9ea1bc839e68291063cca1b0fc425f5e35b9b5ae

Download Submit
C:\GAB\29853.TTF

Filesize
5.7MB

MD5
a342ee6280ea0e6b3e415e0c925ff290

SHA1
ec30cd85f867ebeee5b4e4c2c77823f7c5e6f7ac

SHA256
2629e44f15c1444ecd4c08e5ff831de8a54a70cfc55d7ff503166bb8274b1bba

SHA512
bf2c0c4f583a4ffb9eee9987b2e040750891d9829c070765c5f06d161f96f648727d8c0e423acfed27565c1d5a7409814cb86d36a470ba0777713977068d0545

Download Submit
C:\GAB\29853.TTF

Filesize
1.5MB

MD5
8aea750d99b4509a1d0e57400bf5f8c6

SHA1
94bf0d9fe564814830bd8e9575fc497077f0f08f

SHA256
33b92053c0bd5eeeaa51d126fb926bc42e2d3514fb28467cea116468da9717b5

SHA512
47e97aa4287464450933ca4247f83818d8249db344d9d2225348f8e52bfc4280fd6351815a3314f6cf5ce0263055e3f9c3319e05c1e4199f1a54c3dcb6133110

Download Submit
C:\GAB\29853.TTF

Filesize
1.2MB

MD5
fdadad4f4a783d015c7b91516837ea49

SHA1
f4bd11b09f6ee7c5c627c8c7cba0adde8b464140

SHA256
0fc5ab007be66b3e48fc700f10347d7f65526289be442cfdcf08961ea862b066

SHA512
c62e41d2b726314f078f9a088f4c3e8e07410f6279f9c61797252366bfceb8e6ad166476bb7519b60a2829e2f3cf1024a16680cdd8fd09fe05fffec986fb0d2d

Download Submit
C:\GAB\29853.TTF

Filesize
128KB

MD5
587c3009da6484ae788dc8cfb58f4468

SHA1
4e50845c540265ae92396c66d83a0116c20001c0

SHA256
4aad207a5bcbca004aa6e0b862fd644a76e2796cd00de571959d05b10ba8033f

SHA512
38eae04336812179ab6e7307b990b5e59f028490b0f42bb05afb5c7ae09f6d1c34bd3ead2eade3ce7f9fe141605aec2731eba963dfd62195efdbd6fc72bba20e

Download Submit
C:\GAB\29853.TTF

Filesize
128KB

MD5
e3bc08b556ef9478430da8b01306e64b

SHA1
c87e3532ef52d68a11b460f03157d362c62427c1

SHA256
00e846bb225d943300b07da43d8b38340d7e23d486a9bcea175bce712237da4d

SHA512
571200d8665cbd839172ef7ef4e05cd5758b9873a9de6a2fd6157c19d91862e94dfba5c9fa802864812ea79ca8356bca456962c92f13aad994064fe737d2687a

Download Submit
C:\GAB\29853.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\29853.TTF

Filesize
704KB

MD5
525671bc91df4366f3e8643d693ba8ff

SHA1
2d201c27a7b930dc6ec0fbf7c9b0a5f2b98426c6

SHA256
e927ac4c811bd4f4638d60d7f29fcd34e7b92b60ec0549f1f1a61fa1df026b1e

SHA512
4595d911a2d6677389523bf38c079741065fd1726c51b2e0e127361a10aaa83f12ab08d1ae61179978adb49b5dcff8708b824d2692a15f1ee39fc9008d02fb6b

Download Submit
C:\GAB\29853.fon

Filesize
31KB

MD5
5353b15e459c39e2260900266f25cf53

SHA1
bee45e88cbf4d31940e42dd0c73e690799c39846

SHA256
53d21f5be35c14aa6e85ab7f48d7171b3412da884a29bd9e2d9a50ff0114b0bd

SHA512
ce2b261e2b5e49588060425d2080d81528fcc5fa6f4c2e9f588dfff2ae387c18088577d6b2000fd3f68933efbf88b0f4ad5f7929c320623ddd74fe8fa9387faf

Download Submit
C:\GAB\29853.fon

Filesize
8KB

MD5
b0ac2d09abc0efc32b28b7e364659a15

SHA1
33738efa553c7dcb30a94055b24fd1a16616bc27

SHA256
a0e5dbe96d1cae29501b481cd98a1eac5f0f662aa367aa9712a419c3c32f4284

SHA512
25853b53eb7c6115546cf59c276142f5aa2e54718f18f98402fa7267cd685601280b2e9f903a4c4e16c74e531bf591f0355fee29b0c702e0c15ba6e00899329f

Download Submit
C:\GAB\29853.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\29853.fon

Filesize
12KB

MD5
dcfe71d27bf49ba16fde0d1945bfb4a2

SHA1
86b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1

SHA256
eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811

SHA512
4da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3

Download Submit
C:\GAB\29853.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\29853.fon

Filesize
62KB

MD5
fd1356e6d9598a9ee0bccc8498af926e

SHA1
02b665d2e14ac66861f1fff182eff8e44fb51cb1

SHA256
85e70eacb8c73a048b09ef2712eddbc0ad2ea19a9d7b73649c7e5ef175674a68

SHA512
d2089327300016f099e9fb9afd8cffd29ad6db03c0aae07e3ed8d6bae380d858fb6d0ec9b7e2169b3adb620f7118bfbcbf459256f8952afdc0988ab55a88a9aa

Download Submit
C:\GAB\29853.fon

Filesize
5KB

MD5
d2567a10e7bf9e1117f43e8daa04c332

SHA1
39326fe60dd642cb3a10ef27d779c147b5c3bdc0

SHA256
6f899b483869df427e94b1c4766c60da61d4d37b172ae1d643e6a84aba9e0f9f

SHA512
bb951a41596033d65976e722077f14c960ece2aabadba14b60837d63f1f2a7520e8840f5390f6f594195e3a573e522c2ac3f3f82a981eae1de5cadbfcc8fa420

Download Submit
C:\GAB\29853.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\29853.fon

Filesize
12KB

MD5
d141c73c523889bb1e6249a90eae35a5

SHA1
8bfcd39c1dc42cb98765892c0bbf3d63c1f9fb9e

SHA256
d8990dc5eee6c7f7168fabcfe7b334940434728de1367b061f52c4ed1f802f4f

SHA512
d01bb040cbfc05756148309ed22eeb51889ed9e0c06e3b66e6566e41ac8e3f13ffa3930f5cae2834fecef3f8a42e5890511553bcc16c3bddca28e4cc8c5582b2

Download Submit
C:\GAB\29853.fon

Filesize
17KB

MD5
08204b8185f06076e625401e4ad1dd40

SHA1
da572b8772aa5b717d481ede5550b402668e5da9

SHA256
81538026940fedac874529cf77980f0813c8a3ab3264e06bed007a280e224ce7

SHA512
0f6c45de3c40fd82b36c1535130501dc1221b75bedb9c9c1852065d9592dba301a1ab51f2c837cebfbc36b40c6ed41a5180f401b8561311522e24a805b37ce3e

Download Submit
C:\GAB\29853.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\29853.ttc

Filesize
64KB

MD5
3228c1f53522f760a1d8259af8603ce3

SHA1
098495d98a4d26307d614a02d3d872de592efced

SHA256
a95f83698bc7ec6cef20a4e2b564de1414f821098ccebcb70f345fe0877f341e

SHA512
9251581c23b01628d56da5f5632cad470c2f13069f37e53199625838cee47122252cc36765e8cf3d7ccea8bcc686c325b84c5262fdcfa1523152b3514247b494

Download Submit
C:\GAB\29853.ttc

Filesize
13.0MB

MD5
e868c731ec770c425dbc74881b3ca936

SHA1
a8dc99a2e0bc3360f8441243aab13fe7279a759a

SHA256
1e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c

SHA512
51bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49

Download Submit
C:\SalaNses\soles.exe

Filesize
1.2MB

MD5
acebc69ae67997867002990dae3f699d

SHA1
8483b45b2faaa21ad548e72fb49ae3a08143334e

SHA256
f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442

SHA512
6c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
f0044b463b092b8c8cde538b237bb37f

SHA1
7e57a83721aa57c2a2e617e2589b3f1e5dcb1eca

SHA256
969dd52eba2f3d4a4481fe20390c187bca53e70740dd87cfbcfd0ce534068313

SHA512
dbea09322b2e40eb3aa2c88c7425a1390e8edf8b8e87ecf16364838e943ed91e38e41f00588dc3eb5860757f925a18b2d3d8dc5be5fcfa43d94ff880fe4881b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
79fc3ade79476a50d2431e557ad38292

SHA1
2a9a08d85caa9a03a762afbfa645d809f338608a

SHA256
0ab75a0b70846861f70f3224d644fd16e4ca1bd9cc538a4050143d83d3141f8b

SHA512
eb74b8a255157985daa744dfc04c0896855ca5fda15fce5e8c312690c874ffe6e9b7346992c2814350c2a13a8643361002dbc35269d5cb8dd8ba9a4d49211b69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
d3be6dcb40e9773136dd57125916ded2

SHA1
ade951fc8c1f649ff93402af89ab65586d2c3ebb

SHA256
e56c1a771bbcba720d0b16f4232e71e8f1089d4957046fb3695208050a3e96bc

SHA512
2f759e09f8bd80888acc6337d1d479725dd7e6468376897b345343804fea688792c9b63f44836804044dbf22d72b0c067d3e87189635c14f0da8ae513da468ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
16b8f6fda7c497b758bbbc3c0310af57

SHA1
f9e3791295cd17be64b4b2cb5aadc5258772653f

SHA256
6e03d022c5a97e3e16279ea564b54ae38787573a5949b4e07d4afbc9d3632f3c

SHA512
5db3bde1178f314f42c9ac7d9688f28ae017e0ab531bc0820658bbd4a280495574f693b28d529284ddc5324006aa08d2eb823dd4440b5fab259cd46d6f542003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7962714a7e401a3b57a9b268198b5946

SHA1
e1dc198ed1266d9129d4c584fa939832d7af40bd

SHA256
1b0611a06b8853e3dbe60e87e42672553ecb295af06a68a356edd0f65cd36b19

SHA512
ea77f9b5e1c5128fb2d0bf5d6d75900fd88c52223959ff23b8b494204aac484c99146cf710e8d103c4ed243f8107b874f7d89aeee6c731f6f6c6dde82aa4b141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
624837e94a31dc79683b42e4402de982

SHA1
502e6a8efbca9a64486528f51ba472524695eaf1

SHA256
596ce749acdab9a7620c9992dda99d8d821c6f7922d897d0faa3b349eb0fbb63

SHA512
a9ced42e5e02e865c86e719348bc29f6487813df585d5c2b8bc722f0d01cd99c25867305b8212079b0cb58d614b9840850a8018badaf0213faf96671e854f070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0a5f12854a67d281174d2258c0b539ea

SHA1
09b3e5d32a3039b798e8a1ea964ec037fda5a438

SHA256
2dc5041514c19d877d04257e54f28f338520d3c1a6e71a2b6a617685d83a1b12

SHA512
fc04cd727a154c1deb17e8abe8005ae7268242ef509f2dafd61aeb38a691a028103c48aff54a2753f5c8d614757efae23bf23427da4c7dd4e70c9a353e6e8b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9370223c575d659b5cbb5d150b0e281b

SHA1
6d75547426484f909a1144b7aadbac7cafac1f80

SHA256
7ca0183e80d33fe5921d62104bc4d961eb7a5dcf0a58557ac669453d9be013ba

SHA512
47ecf40125b49dfe0e9224ca9f02c3c05d43c908b9fbb63ac95e391ad822fac24ad94591912d5be944e2f20110f66a3d8b212811dd10abc8b7f376bbcadd83ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c44fe185091011a7116ab9419e02bd28

SHA1
17bc604385173789e3c2251be9530498bd527660

SHA256
88178d7d3fb1882b02ce1855acd1e37111266fd25b6c54a8870c618e5920b368

SHA512
d7d5fc5fbc8964397381e2df488cd943d7cef9e1a617cd330facc669f49b9329ddac34b849b91f4c7e1158638a47aaafccc473366f3f73b8adbf41a5d4c7b916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c533b8556a37620dc7966016a91ebdbc

SHA1
9654ceb64b991b25ffd652ee9d838b443e31788b

SHA256
f1a23bd8e623e4cd55ad1814ce27f0565bdee77d150f0b62b51f3868dede5842

SHA512
5b0412574c72653e5da9c62d4ee7b3f9862abb2eda667220fe6b8afd9e03b48bd7487faec39f58bb26353a8defa51e708871748e88743341ad6d654dc5556b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa2fca1698edae20b8879b55fa739d5f

SHA1
1060c81b0f8772801cbb5203c771b576cdb56552

SHA256
1a8057c8320b78a9e5a00e6fae77a65dd084af8a097691bd01b1f2e645276f58

SHA512
c29eaecad1623821b891ac7acc94d37fc1701a56469e9bdc37fc05b71f83fa22d3095b8efae56e8e610695c4b83b34e4460d466e61f646dd8a1d89a8075653da

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409211125591\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\!m.bat

Filesize
1KB

MD5
9a406b8d8364842f6820ca4356a4c450

SHA1
153c67b38d3d6d391bd7d3b0fb7a68571ea74125

SHA256
e984a5d7fe4d4f0fa8c9d1acb99b76ca60b69ea5d373fc4ffa403678206943a3

SHA512
72721fb0689a8f7ebd057828a9e8bd1806f43f652f5d9b2026daf6de087b70a086693766f870dfd36619ee7ded4baee46ed5d4493a25814eda357d18e46664e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\PurchaseOrder.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\color.reg

Filesize
1KB

MD5
a2441cc58179194cb45e0668e9b09cfe

SHA1
eb01b9b82ec0d46ff6f46236923cce26d017c109

SHA256
65e3f61a4c680ab23243ea3765b3cf0fc5414d34c9070cbe6f11c2cbc75ba4b0

SHA512
08644e315bd71acb452b05beb499174022095ae4b231f91c67792997394f13d7c9ec21b8caa97ba1bcf88dd484031a10c939f27f853b4ac943496d54f6452eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\eee.reg

Filesize
33KB

MD5
ad39d3ee72df4b32d48ce5aef0cf359f

SHA1
125b495b74a6ea49d3c8f3343a9b17b33332fd68

SHA256
ebd1cfc4d28f97d8c3044d305bcae6e8e2402fc7483c0be891619cd02c8dcc2e

SHA512
c3dc49882e4434ab06738e4786de3e79b0e44d12ad60276492bf7475d7f3408d7451b69a753aae273c05857fc2093e6f4ed2cacbd6e79f2e38296e3b7efafa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\favicon.ico

Filesize
5KB

MD5
e0c7cc30d8f9a3cf0140bf838198571b

SHA1
2494a9ab234b90ff0a3cc2dbc152483fb540afd3

SHA256
73bb7f4a70650054fb42f4c7ab85d9a683253a0df26703ecd4a2bb3155d93cb4

SHA512
7b87a3296fd984d89dacfa70bdc274ed9faf553c3e086d3e865ed7a2e55f92fbb55bd270a5863ebb6b95f3ce26d321b5936665741300676863f40111b95a6e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\fence.bat

Filesize
187B

MD5
f1a53c52c034352ad3efc4d7efb9bdf6

SHA1
ab9a74fbde28de0e0579266cb2547dcad77adce8

SHA256
27bfdeea2850a4336f69b840d3dc5dd800e530e0a52b22eee4d9c43cd544a13a

SHA512
6fe862a0151f80b82088cea9b965fe8b2aeb2efb0ab16b4fce442a11756a2896f32b96dbb480aba9b4266a516ff4ffbe47def17273cdc7113d700694e87dee67

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\font.reg

Filesize
16KB

MD5
f99019a747df87574971ff5d788cd8d6

SHA1
51f59c63c22c6524c00462ac136bae4395e9196e

SHA256
c71187aae9aa77964b19db391eb96132262b3912c54aaf830c4cc7a836404ecb

SHA512
625e88f5e45322e8da1d9e2a83b7e4abc4431d6022d20fc279a67d4404e099c8adabf643c9591e47fe592c5ef27d662e6bea2ceb62b99ebde2b1f86f8a40a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\infected.html

Filesize
972B

MD5
f48be9db7436f1c53508f1ad70064459

SHA1
16b20d3933cc6398859f1334a848982cccfd8501

SHA256
f79460fad80962fabe51f271a2ad33fd54c418fbb0a8646c1d78654696d7d7b2

SHA512
c7870b4fd16827817fa16c68f9d1a51270cfd9dc052861977a12ffcbc91a1668c82f168f8b33661d68579cfed766e15d0e436794d0eed164946eb9927355b638

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\neurosafe.exe

Filesize
289KB

MD5
f0d99e475391a9ef4be431c987af9ef7

SHA1
f2da513c5da93019f07b077459c6165b02c3f1ec

SHA256
d4e57d24203e6224043042f44a4c98a64d6f0783116ca229fcc6e5a2971c9e79

SHA512
417be9f77602de3d8d6ed43398455827ebe44411b17bca304707efb6194ba10b2f41b0f42581ac36e1558673403a16baaa65f5d16f1ff71c8a169b5fda1e3912

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\nosearch.reg

Filesize
210KB

MD5
f68d38e0570e426038ff1a1e43afe037

SHA1
0d13a96502394de36608da595e7b95fe65273275

SHA256
51f2ba3572185d138fcc40cfb83c26657c4b3c9fcb19f866abad81c75b0b8b20

SHA512
a4fe35709fc8c7ff28b8ad105d907624fd807c8d2f53b7dedc20f3003e72515b430a38e891e344c21910381b307e438607b50cd56045779e260b97fc2cce41e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53_ccea8e6c-4d8f-449b-b13a-8039b050842b\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC162CA08\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409211125589173884.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrz0pn1l.g4l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7H23C.tmp\is-LMEU0.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQFRK.tmp\flydes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\CR.History.tmp

Filesize
124KB

MD5
0ade01a36bd217e6433dc3de6f299b5f

SHA1
cbe08943248a1c2ffbdfc6777e623f935df2ea96

SHA256
451242637b1d8837e40999c35ef48ca689a1519242b4e8e3bc27a60c02034589

SHA512
daf922def7e6ac0f2f440da73dbd1ca45bdb6615683523c8c7dbc9de70200446ad759dfc90fccabba247cc6e934691408b96025e567d394bfd809a85fda8a140

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\FF.places.tmp

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6A40.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3275.tmp

Filesize
1KB

MD5
d65368fc6eab129858ab83d1d31c4bb0

SHA1
ff026854b460d8dd3e2c7a498249d8a8f96cfe18

SHA256
0b1f69b97c316b3f39a09c7aa1c11c517bf576a5e1a1dbb9ea9260067362c864

SHA512
5814fd2e2bb58d88654db3f80d9e13e5d7f5398678b090a29cb1e8270a3bc03f3dc572e03e8327a2ce59ec0bf492802e2820e4310941d44d4c63044160be37ad

Download Submit
C:\Windows\System\ZbJmOvt.exe

Filesize
5.2MB

MD5
eefecc5a7b2474af0da7a1cd54295ba2

SHA1
3fba991e6df5def5d85cd63d592e3b36099979e0

SHA256
892e921e058bceb22884725121938a707a118db99ea8c5ac3ba0e7a1cdc5aa6a

SHA512
7baf88cc8bf2a4a402755bc5077b32fccfe41cc93e232c1370160b02dbfaa48ca12b84eb6d04f1e398fc29c7ba1ef9ddbaa2c7683f6c9b69e4326823aaf1ac42

Download Submit
\??\pipe\LOCAL\crashpad_2716_DUPKYYXCJXJAOQMJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/740-2528-0x00007FF625D60000-0x00007FF6260B1000-memory.dmp

Filesize
3.3MB

Download
memory/740-2466-0x00007FF625D60000-0x00007FF6260B1000-memory.dmp

Filesize
3.3MB

Download
memory/860-353-0x0000000006A10000-0x0000000006A92000-memory.dmp

Filesize
520KB

Download
memory/860-105-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/860-102-0x00000000008D0000-0x00000000009BA000-memory.dmp

Filesize
936KB

Download
memory/968-493-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1776-2483-0x00007FF6FFFB0000-0x00007FF700301000-memory.dmp

Filesize
3.3MB

Download
memory/1868-1-0x0000000000B10000-0x0000000000B5A000-memory.dmp

Filesize
296KB

Download
memory/1868-2501-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-94-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-93-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/1868-4-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1868-3-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-2-0x0000000002F00000-0x0000000002F24000-memory.dmp

Filesize
144KB

Download
memory/1868-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2132-2521-0x00007FF7B4280000-0x00007FF7B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-2418-0x00007FF7B4280000-0x00007FF7B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-2398-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2264-2399-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2268-2489-0x00007FF6CBD60000-0x00007FF6CC0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-397-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/2276-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-452-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/2364-637-0x00007FF7AE9B0000-0x00007FF7AE9D7000-memory.dmp

Filesize
156KB

Download
memory/2600-352-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2832-419-0x0000000006BD0000-0x0000000006C1C000-memory.dmp

Filesize
304KB

Download
memory/2832-398-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/2832-408-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/2832-451-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

Filesize
32KB

Download
memory/2832-418-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/2832-392-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/2832-447-0x0000000007B80000-0x0000000007B91000-memory.dmp

Filesize
68KB

Download
memory/2832-433-0x00000000701C0000-0x000000007020C000-memory.dmp

Filesize
304KB

Download
memory/3136-506-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3260-2485-0x00007FF66F7D0000-0x00007FF66FB21000-memory.dmp

Filesize
3.3MB

Download
memory/4172-2417-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4240-731-0x0000000000C40000-0x0000000000C5C000-memory.dmp

Filesize
112KB

Download
memory/4240-760-0x0000000009CC0000-0x0000000009CF8000-memory.dmp

Filesize
224KB

Download
memory/4240-761-0x0000000009CA0000-0x0000000009CAE000-memory.dmp

Filesize
56KB

Download
memory/4240-759-0x0000000006350000-0x0000000006358000-memory.dmp

Filesize
32KB

Download
memory/4404-2447-0x00007FF6024A0000-0x00007FF6027F1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-2478-0x00007FF6C6B60000-0x00007FF6C6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-2488-0x00007FF70F070000-0x00007FF70F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-83-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/4984-84-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4984-86-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/4984-87-0x0000000005360000-0x00000000053B6000-memory.dmp

Filesize
344KB

Download
memory/4984-95-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-82-0x00000000005E0000-0x00000000007D2000-memory.dmp

Filesize
1.9MB

Download
memory/4984-80-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/5036-2396-0x0000000005270000-0x0000000005352000-memory.dmp

Filesize
904KB

Download
memory/5036-2397-0x0000000002990000-0x00000000029B2000-memory.dmp

Filesize
136KB

Download
memory/5036-2395-0x0000000000690000-0x0000000000832000-memory.dmp

Filesize
1.6MB

Download
memory/5256-2490-0x00007FF6A4380000-0x00007FF6A46D1000-memory.dmp

Filesize
3.3MB

Download
memory/5308-948-0x00007FF737CE0000-0x00007FF737D09000-memory.dmp

Filesize
164KB

Download
memory/5308-635-0x00007FF737CE0000-0x00007FF737D09000-memory.dmp

Filesize
164KB

Download
memory/5340-772-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5340-472-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5424-421-0x00000000701C0000-0x000000007020C000-memory.dmp

Filesize
304KB

Download
memory/5424-359-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/5424-358-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download
memory/5424-449-0x0000000007560000-0x0000000007574000-memory.dmp

Filesize
80KB

Download
memory/5424-445-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/5424-448-0x0000000007550000-0x000000000755E000-memory.dmp

Filesize
56KB

Download
memory/5424-444-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/5424-443-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/5424-450-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/5424-420-0x0000000006FE0000-0x0000000007012000-memory.dmp

Filesize
200KB

Download
memory/5424-432-0x0000000007020000-0x00000000070C3000-memory.dmp

Filesize
652KB

Download
memory/5424-431-0x0000000006FA0000-0x0000000006FBE000-memory.dmp

Filesize
120KB

Download
memory/5424-446-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/5476-2481-0x00007FF7B59C0000-0x00007FF7B5D11000-memory.dmp

Filesize
3.3MB

Download
memory/5512-492-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5712-1145-0x00007FF605C10000-0x00007FF605C36000-memory.dmp

Filesize
152KB

Download
memory/5712-643-0x00007FF605C10000-0x00007FF605C36000-memory.dmp

Filesize
152KB

Download
memory/5816-640-0x00007FF6F3890000-0x00007FF6F38B6000-memory.dmp

Filesize
152KB

Download
memory/5996-364-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5996-490-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6028-370-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6028-491-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6064-1260-0x0000000000D60000-0x000000000111B000-memory.dmp

Filesize
3.7MB

Download
memory/6064-1155-0x0000000000D60000-0x000000000111B000-memory.dmp

Filesize
3.7MB

Download
memory/6120-2472-0x00007FF676340000-0x00007FF676691000-memory.dmp

Filesize
3.3MB

Download
memory/6148-2491-0x00007FF625ED0000-0x00007FF626221000-memory.dmp

Filesize
3.3MB

Download
memory/6160-2523-0x00007FF78B310000-0x00007FF78B661000-memory.dmp

Filesize
3.3MB

Download
memory/6160-2424-0x00007FF78B310000-0x00007FF78B661000-memory.dmp

Filesize
3.3MB

Download
memory/6240-2448-0x00007FF67C170000-0x00007FF67C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/6240-2527-0x00007FF67C170000-0x00007FF67C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/6308-2520-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/6308-2393-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/6316-2401-0x000001AD53460000-0x000001AD53470000-memory.dmp

Filesize
64KB

Download
memory/6316-2519-0x00007FF7A6E90000-0x00007FF7A71E1000-memory.dmp

Filesize
3.3MB

Download
memory/6316-2392-0x00007FF7A6E90000-0x00007FF7A71E1000-memory.dmp

Filesize
3.3MB

Download
memory/6336-2530-0x00007FF6E9450000-0x00007FF6E97A1000-memory.dmp

Filesize
3.3MB

Download
memory/6336-2471-0x00007FF6E9450000-0x00007FF6E97A1000-memory.dmp

Filesize
3.3MB

Download
memory/6392-1175-0x00000000663A0000-0x00000000663EC000-memory.dmp

Filesize
304KB

Download
memory/6392-1187-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/6400-803-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/6400-1108-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/6400-1184-0x00000000663A0000-0x00000000663EC000-memory.dmp

Filesize
304KB

Download
memory/6400-1240-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/6400-1273-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/6408-1206-0x00000000663A0000-0x00000000663EC000-memory.dmp

Filesize
304KB

Download
memory/6432-2529-0x00007FF6E8F00000-0x00007FF6E9251000-memory.dmp

Filesize
3.3MB

Download
memory/6432-2465-0x00007FF6E8F00000-0x00007FF6E9251000-memory.dmp

Filesize
3.3MB

Download
memory/6636-2463-0x00007FF610130000-0x00007FF610481000-memory.dmp

Filesize
3.3MB

Download
memory/6660-2428-0x00007FF768C90000-0x00007FF768FE1000-memory.dmp

Filesize
3.3MB

Download
memory/6660-2524-0x00007FF768C90000-0x00007FF768FE1000-memory.dmp

Filesize
3.3MB

Download
memory/6764-2431-0x00007FF671200000-0x00007FF671551000-memory.dmp

Filesize
3.3MB

Download
memory/6776-2492-0x00007FF6B5470000-0x00007FF6B57C1000-memory.dmp

Filesize
3.3MB

Download
memory/6916-2484-0x00007FF6688E0000-0x00007FF668C31000-memory.dmp

Filesize
3.3MB

Download