agenttesla | 091fe012d48363c38f32016a497481c9a598e400f1c83bb254f5e7ebaf75bf41

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe
Size

58.1MB
MD5

a36ccf5fb6bc5c1342371a21b33a6f0c
SHA1

2daefc8e9d7a3f7d461a9cc7a2a69e9c87667c83
SHA256

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1
SHA512

80f3c9e56cd1f9ba596c93a0742e5f56e7a44fdc678d9c3a19f0e90db9a81ed1ce09e159f61c57c566e47c428986f96bc29b7e1f71941c86961e3f43ab4dcc78
SSDEEP

1572864:TLOrJXzVj0mz3uu2etPQiWmoh8rb28CQG2Y:TLqJXBj0kuu3IDmnrb5Y

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 backdoor bootkit credential_access discovery evasion execution keylogger miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000016d3f-2590.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral1/memory/4040-2693-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/4040-2692-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/4040-2689-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/784-2659-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	modiloader_stage2
behavioral1/memory/4036-2658-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/4036-2712-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 27 IoCs

miner

resource	yara_rule
behavioral1/memory/3316-2609-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/1144-2608-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/3828-2616-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/784-2620-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1308-2596-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2016-2663-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/3640-2662-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/3388-2661-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1952-2657-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/3204-2648-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2356-2638-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/3208-2699-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/2428-2707-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/784-2711-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/784-2719-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/1308-2780-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/3208-2782-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/1144-2784-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/3316-2786-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/3828-2788-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2428-2790-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2356-2792-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/3204-2794-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/3388-2796-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1952-2801-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2016-2802-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/3640-2798-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1916	powershell.exe
2240	powershell.exe
2408	powershell.exe
2780	powershell.exe
2256	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\F8D7D81847FA9FD2D2C884C7F477959547357892\Blob = 0f0000000100000014000000108b5c9c45de36204c7b5eeac7e95312ba373fde0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000380037003600390036003800350063002d0062003700330032002d0034006300330034002d0039006500300064002d0033006300650065006600370031003200300030006300330000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f8d7d81847fa9fd2d2c884c7f477959547357892200000000100000000030000308202fc308201e4a00302010202104da2aff4306ab2bd42e3d44f6dd807c1300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303932323030333933395a180f32313234303832393030333933395a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b08fadd1347e0559b583f57d678b47cf539020c5f4e50544bbc29605193eb7ef217530ce880025165fb9791f648a0e99a8d0f9091a6be5a57dd12a54b57f7fe702b709fd8eda9f1dd563a34abfa5aca7e4f8f56ad8cf3778a570099a9d70aedfd5114fdf512436230472633323c53b2dea5521f5bd00f5ebf90f20b8fa92b3725f359c8a666e0ced94ad5f2331bd2bafd7c247e5fe295c364603df4e72dbfe1a1bc3708bd2d97d2af24602d58e3820e8621f78409ea457568bae15c5ee14360a6b90cd4ce6ecce4517c4cd8f48b46b0c039c2945eebada8ff8ad3e513f9f8f620d3b1cf6c328fbf110a310a0238c65437a8cdf630c2b84a49e800d6048b405290203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404a534d55524e50540030090603551d1304023000300d06092a864886f70d010105050003820101008721a83c54fb2cfd90eb373c3bb6a2654ccd672f61273ee7bf7cc0fddd1d3209add9d3a9eef71379abad87fa363322558a473de3ae79835edded9523f14d3327020eb6613c7a8c98c1f4e92820609dc87ba46acea92413af2be46686ec3b5da6d6f6962396a4dc1fb726b90d69f96dee61e2d89dbb7c8137dbb31f99192d9c665cba64c3587ea360fbadf078eb9ea239925fe62d6d0d71a2b2725c0e2cbe50d2f6ad9eb8af8786f7a0e809134f860ce0617c1d772f038c7a009f7793e67c68daeffc74982815dedd192cc30a569da086c81a3c2450a92de7279599a1f54c3ecca3cbd5c3d50aa8d69439644465c9d4702601a81b81c64a5a66de959f1677ad59	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\F8D7D81847FA9FD2D2C884C7F477959547357892\Blob = 0f0000000100000014000000108b5c9c45de36204c7b5eeac7e95312ba373fde030000000100000014000000f8d7d81847fa9fd2d2c884c7f477959547357892200000000100000000030000308202fc308201e4a00302010202104da2aff4306ab2bd42e3d44f6dd807c1300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303932323030333933395a180f32313234303832393030333933395a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b08fadd1347e0559b583f57d678b47cf539020c5f4e50544bbc29605193eb7ef217530ce880025165fb9791f648a0e99a8d0f9091a6be5a57dd12a54b57f7fe702b709fd8eda9f1dd563a34abfa5aca7e4f8f56ad8cf3778a570099a9d70aedfd5114fdf512436230472633323c53b2dea5521f5bd00f5ebf90f20b8fa92b3725f359c8a666e0ced94ad5f2331bd2bafd7c247e5fe295c364603df4e72dbfe1a1bc3708bd2d97d2af24602d58e3820e8621f78409ea457568bae15c5ee14360a6b90cd4ce6ecce4517c4cd8f48b46b0c039c2945eebada8ff8ad3e513f9f8f620d3b1cf6c328fbf110a310a0238c65437a8cdf630c2b84a49e800d6048b405290203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404a534d55524e50540030090603551d1304023000300d06092a864886f70d010105050003820101008721a83c54fb2cfd90eb373c3bb6a2654ccd672f61273ee7bf7cc0fddd1d3209add9d3a9eef71379abad87fa363322558a473de3ae79835edded9523f14d3327020eb6613c7a8c98c1f4e92820609dc87ba46acea92413af2be46686ec3b5da6d6f6962396a4dc1fb726b90d69f96dee61e2d89dbb7c8137dbb31f99192d9c665cba64c3587ea360fbadf078eb9ea239925fe62d6d0d71a2b2725c0e2cbe50d2f6ad9eb8af8786f7a0e809134f860ce0617c1d772f038c7a009f7793e67c68daeffc74982815dedd192cc30a569da086c81a3c2450a92de7279599a1f54c3ecca3cbd5c3d50aa8d69439644465c9d4702601a81b81c64a5a66de959f1677ad59	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\F8D7D81847FA9FD2D2C884C7F477959547357892\Blob = 0f0000000100000014000000108b5c9c45de36204c7b5eeac7e95312ba373fde030000000100000014000000f8d7d81847fa9fd2d2c884c7f4779595473578920200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000380037003600390036003800350063002d0062003700330032002d0034006300330034002d0039006500300064002d0033006300650065006600370031003200300030006300330000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a00302010202104da2aff4306ab2bd42e3d44f6dd807c1300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303932323030333933395a180f32313234303832393030333933395a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b08fadd1347e0559b583f57d678b47cf539020c5f4e50544bbc29605193eb7ef217530ce880025165fb9791f648a0e99a8d0f9091a6be5a57dd12a54b57f7fe702b709fd8eda9f1dd563a34abfa5aca7e4f8f56ad8cf3778a570099a9d70aedfd5114fdf512436230472633323c53b2dea5521f5bd00f5ebf90f20b8fa92b3725f359c8a666e0ced94ad5f2331bd2bafd7c247e5fe295c364603df4e72dbfe1a1bc3708bd2d97d2af24602d58e3820e8621f78409ea457568bae15c5ee14360a6b90cd4ce6ecce4517c4cd8f48b46b0c039c2945eebada8ff8ad3e513f9f8f620d3b1cf6c328fbf110a310a0238c65437a8cdf630c2b84a49e800d6048b405290203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404a534d55524e50540030090603551d1304023000300d06092a864886f70d010105050003820101008721a83c54fb2cfd90eb373c3bb6a2654ccd672f61273ee7bf7cc0fddd1d3209add9d3a9eef71379abad87fa363322558a473de3ae79835edded9523f14d3327020eb6613c7a8c98c1f4e92820609dc87ba46acea92413af2be46686ec3b5da6d6f6962396a4dc1fb726b90d69f96dee61e2d89dbb7c8137dbb31f99192d9c665cba64c3587ea360fbadf078eb9ea239925fe62d6d0d71a2b2725c0e2cbe50d2f6ad9eb8af8786f7a0e809134f860ce0617c1d772f038c7a009f7793e67c68daeffc74982815dedd192cc30a569da086c81a3c2450a92de7279599a1f54c3ecca3cbd5c3d50aa8d69439644465c9d4702601a81b81c64a5a66de959f1677ad59	IEXPLORE.EXE

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1536	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	avg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	ajC545.exe

Executes dropped EXE 47 IoCs

pid	Process
2728	anti.exe
996	butdes.exe
1280	flydes.exe
1848	i.exe
2784	flydes.tmp
1316	butdes.tmp
2476	gx.exe
2264	bundle.exe
2680	rckdck.exe
2172	avg.exe
1512	is-B7SV1.tmp
336	setup.exe
1864	telamon.exe
2792	stopwatch.exe
2316	telamon.tmp
784	tt-installer-helper.exe
2064	g_.exe
1984	t.exe
756	g.exe
2276	e.exe
1620	Bootstraper.exe
3872	ajC545.exe
784	cobstrk.exe
1240	PurchaseOrder.exe
4036	jaf.exe
2416	file.exe
1308	LPwMdtt.exe
3208	AqgazBJ.exe
1144	gzZWPfP.exe
3316	JDlngRe.exe
3828	kIEqvzE.exe
2428	yjWOXBh.exe
2356	ubHASpP.exe
3204	CVItvVF.exe
3388	vRHhXrQ.exe
3640	JJnUoIZ.exe
1952	QfQOBgs.exe
2016	StoHCtS.exe
2788	CBZgHom.exe
3248	iqJRrkd.exe
3552	ZffLsVg.exe
3772	GkHarMd.exe
3512	YHjNmQg.exe
3444	spgvHkX.exe
3684	vhLKMCH.exe
3448	wbDzikW.exe
3868	rFsoxpw.exe

Loads dropped DLL 64 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
1280	flydes.exe
996	butdes.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2680	rckdck.exe
2876	cmd.exe
2876	cmd.exe
2172	avg.exe
2172	avg.exe
1864	telamon.exe
2172	avg.exe
2316	telamon.tmp
2172	avg.exe
1228	cmd.exe
2876	cmd.exe
2876	cmd.exe
1016	Process not Found
2064	g_.exe
1984	t.exe
2876	cmd.exe
756	g.exe
2172	avg.exe
2876	cmd.exe
2276	e.exe
2064	g_.exe
1984	t.exe
756	g.exe
2276	e.exe
2876	cmd.exe
2172	avg.exe
2172	avg.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
1240	PurchaseOrder.exe
1240	PurchaseOrder.exe
1240	PurchaseOrder.exe
1832	Process not Found
784	cobstrk.exe
784	cobstrk.exe
784	cobstrk.exe
784	cobstrk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/784-2567-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/files/0x0009000000016d3f-2590.dat	upx
behavioral1/memory/3316-2609-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/1144-2608-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/3828-2616-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/784-2620-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2428-2619-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/3208-2604-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/1308-2596-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2016-2663-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/3640-2662-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/3388-2661-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/1952-2657-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/3204-2648-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2356-2638-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/3208-2699-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/2428-2707-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/784-2711-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/1308-2780-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/3208-2782-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/1144-2784-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/3316-2786-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/3828-2788-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2428-2790-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2356-2792-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/3204-2794-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/3388-2796-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/1952-2801-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2016-2802-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/3640-2798-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\AVAST Software\Avast	ajC545.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	ajC545.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jaf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org
59	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ajC545.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 4040	2416	file.exe	407
PID 1240 set thread context of 2252	1240	PurchaseOrder.exe	439

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gzZWPfP.exe	cobstrk.exe
File created	C:\Windows\System\ubHASpP.exe	cobstrk.exe
File created	C:\Windows\System\spgvHkX.exe	cobstrk.exe
File created	C:\Windows\System\AqgazBJ.exe	cobstrk.exe
File created	C:\Windows\System\CBZgHom.exe	cobstrk.exe
File created	C:\Windows\System\iqJRrkd.exe	cobstrk.exe
File created	C:\Windows\System\GkHarMd.exe	cobstrk.exe
File created	C:\Windows\System\vhLKMCH.exe	cobstrk.exe
File created	C:\Windows\System\CVItvVF.exe	cobstrk.exe
File created	C:\Windows\System\JDlngRe.exe	cobstrk.exe
File created	C:\Windows\System\kIEqvzE.exe	cobstrk.exe
File created	C:\Windows\System\yjWOXBh.exe	cobstrk.exe
File created	C:\Windows\System\vRHhXrQ.exe	cobstrk.exe
File created	C:\Windows\System\QfQOBgs.exe	cobstrk.exe
File created	C:\Windows\System\ZffLsVg.exe	cobstrk.exe
File created	C:\Windows\System\YHjNmQg.exe	cobstrk.exe
File created	C:\Windows\System\LPwMdtt.exe	cobstrk.exe
File created	C:\Windows\System\JJnUoIZ.exe	cobstrk.exe
File created	C:\Windows\System\wbDzikW.exe	cobstrk.exe
File created	C:\Windows\System\rFsoxpw.exe	cobstrk.exe
File created	C:\Windows\System\StoHCtS.exe	cobstrk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2036	1620	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt-installer-helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flydes.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rckdck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2356	timeout.exe
3160	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3912	taskkill.exe
1876	taskkill.exe
3568	taskkill.exe
1692	taskkill.exe
1952	taskkill.exe
2136	taskkill.exe
1800	taskkill.exe
2248	taskkill.exe
3804	taskkill.exe
2180	taskkill.exe
1600	taskkill.exe
2480	taskkill.exe
2192	taskkill.exe
2584	taskkill.exe
992	taskkill.exe
3980	taskkill.exe
3828	taskkill.exe
3640	taskkill.exe
2756	taskkill.exe
2628	taskkill.exe
2112	taskkill.exe
2104	taskkill.exe
2400	taskkill.exe
3372	taskkill.exe
3704	taskkill.exe
2736	taskkill.exe
2696	taskkill.exe
1876	taskkill.exe
1448	taskkill.exe
3080	taskkill.exe
2148	taskkill.exe
3020	taskkill.exe
2012	taskkill.exe
3312	taskkill.exe
1536	taskkill.exe
1844	taskkill.exe
3736	taskkill.exe
2756	taskkill.exe
2036	taskkill.exe
1704	taskkill.exe
2280	taskkill.exe
2456	taskkill.exe
3792	taskkill.exe
1860	taskkill.exe
2696	taskkill.exe
3508	taskkill.exe
4048	taskkill.exe
1716	taskkill.exe
3876	taskkill.exe
3352	taskkill.exe
3092	taskkill.exe
3768	taskkill.exe
2856	taskkill.exe
1592	taskkill.exe
1368	taskkill.exe
2308	taskkill.exe
3500	taskkill.exe
3432	taskkill.exe
1220	taskkill.exe
2292	taskkill.exe
3212	taskkill.exe
3784	taskkill.exe
3076	taskkill.exe
3064	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e0bcf0870cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000081606e1bcdc6771aa6490ea2d829bd271322e6b1f968e22df820e363e5662aa9000000000e800000000200002000000093ef211ce9d044f747c7c9dd13c9cf519f42e94fdbeb47101d566faddb039a60200000000fff7cccaffa5ec95c498d9df82f66d3aff398cf152672d630b8d6bf6acba7774000000001ff867013c227405744a2f7a7a285b6a7f205171afde16008d640200f46cf8273583172b99670ea6f71bb6dc246aa0f9d8de8438c11e4fbc449c2c687602ba7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2676B0F1-787B-11EF-86C1-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000de10f240b7af3b3b1722a9eff186a9fc04d4fca0e3ef2b04174459daef7f0976000000000e80000000020000200000008dbbbe657b194ebc57f75f0e92ae3ed57b4e9123206ae5b6fee8a6a24536fcf590000000b5300180f8a5df8a5f6c9a3bc788e84d3fce93452e19708b63881f439d6ff83fb050df8362c20ebfc270ae727564751593e7e506c869ac45e738042189aa2e1a063b50e444592042e4a509b82cebd5bac32b0803921b8bdc1440877fc65f4e67ffa57c7639a888135a18cd10a58b1d83dca69ccaa9877fccc10b1c6c63fca4720881de05b4813fa109822c340a40357640000000eaba52ed4cadf4f93b2996045953d959b55c599e0e12ae95244a7f7305b429e07b1f25f5418350f987060c36c8c14ce11fb203c246d2d4499b5069297bed5038	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433127447"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ajC545.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ajC545.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ajC545.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ajC545.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ajC545.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3984	notepad.exe
1580	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
3872	ajC545.exe
2172	avg.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
3872	ajC545.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe
2172	avg.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
2784	flydes.tmp
1316	butdes.tmp
2264	bundle.exe
1512	is-B7SV1.tmp
2316	telamon.tmp
2064	g_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2592	efsui.exe
2568	iexplore.exe
2568	iexplore.exe
2728	anti.exe
2792	stopwatch.exe
544	msiexec.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe
2568	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2568	iexplore.exe
2568	iexplore.exe
1052	IEXPLORE.EXE
1052	IEXPLORE.EXE
2172	avg.exe
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE
3872	ajC545.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2876	3004	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	30
PID 3004 wrote to memory of 2876	3004	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	30
PID 3004 wrote to memory of 2876	3004	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	30
PID 3004 wrote to memory of 2876	3004	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	30
PID 2876 wrote to memory of 2728	2876	cmd.exe	32
PID 2876 wrote to memory of 2728	2876	cmd.exe	32
PID 2876 wrote to memory of 2728	2876	cmd.exe	32
PID 2876 wrote to memory of 2728	2876	cmd.exe	32
PID 2876 wrote to memory of 2956	2876	cmd.exe	33
PID 2876 wrote to memory of 2956	2876	cmd.exe	33
PID 2876 wrote to memory of 2956	2876	cmd.exe	33
PID 2876 wrote to memory of 2956	2876	cmd.exe	33
PID 2876 wrote to memory of 2892	2876	cmd.exe	35
PID 2876 wrote to memory of 2892	2876	cmd.exe	35
PID 2876 wrote to memory of 2892	2876	cmd.exe	35
PID 2876 wrote to memory of 2892	2876	cmd.exe	35
PID 2956 wrote to memory of 2736	2956	cmd.exe	36
PID 2956 wrote to memory of 2736	2956	cmd.exe	36
PID 2956 wrote to memory of 2736	2956	cmd.exe	36
PID 2956 wrote to memory of 2736	2956	cmd.exe	36
PID 2876 wrote to memory of 2628	2876	cmd.exe	38
PID 2876 wrote to memory of 2628	2876	cmd.exe	38
PID 2876 wrote to memory of 2628	2876	cmd.exe	38
PID 2876 wrote to memory of 2628	2876	cmd.exe	38
PID 2956 wrote to memory of 2176	2956	cmd.exe	40
PID 2956 wrote to memory of 2176	2956	cmd.exe	40
PID 2956 wrote to memory of 2176	2956	cmd.exe	40
PID 2956 wrote to memory of 2176	2956	cmd.exe	40
PID 2956 wrote to memory of 304	2956	cmd.exe	41
PID 2956 wrote to memory of 304	2956	cmd.exe	41
PID 2956 wrote to memory of 304	2956	cmd.exe	41
PID 2956 wrote to memory of 304	2956	cmd.exe	41
PID 2956 wrote to memory of 2684	2956	cmd.exe	42
PID 2956 wrote to memory of 2684	2956	cmd.exe	42
PID 2956 wrote to memory of 2684	2956	cmd.exe	42
PID 2956 wrote to memory of 2684	2956	cmd.exe	42
PID 2956 wrote to memory of 880	2956	cmd.exe	43
PID 2956 wrote to memory of 880	2956	cmd.exe	43
PID 2956 wrote to memory of 880	2956	cmd.exe	43
PID 2956 wrote to memory of 880	2956	cmd.exe	43
PID 2956 wrote to memory of 2656	2956	cmd.exe	44
PID 2956 wrote to memory of 2656	2956	cmd.exe	44
PID 2956 wrote to memory of 2656	2956	cmd.exe	44
PID 2956 wrote to memory of 2656	2956	cmd.exe	44
PID 2956 wrote to memory of 2940	2956	cmd.exe	45
PID 2956 wrote to memory of 2940	2956	cmd.exe	45
PID 2956 wrote to memory of 2940	2956	cmd.exe	45
PID 2956 wrote to memory of 2940	2956	cmd.exe	45
PID 2876 wrote to memory of 2568	2876	cmd.exe	46
PID 2876 wrote to memory of 2568	2876	cmd.exe	46
PID 2876 wrote to memory of 2568	2876	cmd.exe	46
PID 2876 wrote to memory of 2568	2876	cmd.exe	46
PID 2956 wrote to memory of 2136	2956	cmd.exe	47
PID 2956 wrote to memory of 2136	2956	cmd.exe	47
PID 2956 wrote to memory of 2136	2956	cmd.exe	47
PID 2956 wrote to memory of 2136	2956	cmd.exe	47
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2876 wrote to memory of 996	2876	cmd.exe	48
PID 2956 wrote to memory of 2148	2956	cmd.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe
"C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\!m.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2456
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3792
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\doc.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
      4⤵
      Manipulates Digital Signatures
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:406532 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3400
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\is-AT422.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AT422.tmp\butdes.tmp" /SL5="$20106,2719719,54272,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\butdes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\is-B1CA3.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B1CA3.tmp\flydes.tmp" /SL5="$200FA,595662,54272,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\flydes.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2784
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\7zSCA954796\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSCA954796\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\is-BDMAP.tmp\is-B7SV1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BDMAP.tmp\is-B7SV1.tmp" /SL4 $30204 "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\ajC545.exe
      "C:\Users\Admin\AppData\Local\Temp\ajC545.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3872
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\is-99SPH.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-99SPH.tmp\telamon.tmp" /SL5="$501D4,1520969,918016,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\~execwithresult.txt""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:484
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2792
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\gadget.msi"
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2276
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\Bootstraper.exe
    Bootstraper.exe
    3⤵
    - Executes dropped EXE
    PID:1620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1488
      4⤵
      Loads dropped DLL
      Program crash
      PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:1212
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\12124.CompositeFont"
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3984
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\12124.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1580
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\12124.ttc
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\12124.TTF
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\cobstrk.exe
    cobstrk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:784
  - - C:\Windows\System\LPwMdtt.exe
      C:\Windows\System\LPwMdtt.exe
      4⤵
      Executes dropped EXE
      PID:1308
  - - C:\Windows\System\AqgazBJ.exe
      C:\Windows\System\AqgazBJ.exe
      4⤵
      Executes dropped EXE
      PID:3208
  - - C:\Windows\System\gzZWPfP.exe
      C:\Windows\System\gzZWPfP.exe
      4⤵
      Executes dropped EXE
      PID:1144
  - - C:\Windows\System\JDlngRe.exe
      C:\Windows\System\JDlngRe.exe
      4⤵
      Executes dropped EXE
      PID:3316
  - - C:\Windows\System\kIEqvzE.exe
      C:\Windows\System\kIEqvzE.exe
      4⤵
      Executes dropped EXE
      PID:3828
  - - C:\Windows\System\yjWOXBh.exe
      C:\Windows\System\yjWOXBh.exe
      4⤵
      Executes dropped EXE
      PID:2428
  - - C:\Windows\System\ubHASpP.exe
      C:\Windows\System\ubHASpP.exe
      4⤵
      Executes dropped EXE
      PID:2356
  - - C:\Windows\System\CVItvVF.exe
      C:\Windows\System\CVItvVF.exe
      4⤵
      Executes dropped EXE
      PID:3204
  - - C:\Windows\System\StoHCtS.exe
      C:\Windows\System\StoHCtS.exe
      4⤵
      Executes dropped EXE
      PID:2016
  - - C:\Windows\System\vRHhXrQ.exe
      C:\Windows\System\vRHhXrQ.exe
      4⤵
      Executes dropped EXE
      PID:3388
  - - C:\Windows\System\CBZgHom.exe
      C:\Windows\System\CBZgHom.exe
      4⤵
      Executes dropped EXE
      PID:2788
  - - C:\Windows\System\JJnUoIZ.exe
      C:\Windows\System\JJnUoIZ.exe
      4⤵
      Executes dropped EXE
      PID:3640
  - - C:\Windows\System\iqJRrkd.exe
      C:\Windows\System\iqJRrkd.exe
      4⤵
      Executes dropped EXE
      PID:3248
  - - C:\Windows\System\QfQOBgs.exe
      C:\Windows\System\QfQOBgs.exe
      4⤵
      Executes dropped EXE
      PID:1952
  - - C:\Windows\System\ZffLsVg.exe
      C:\Windows\System\ZffLsVg.exe
      4⤵
      Executes dropped EXE
      PID:3552
  - - C:\Windows\System\GkHarMd.exe
      C:\Windows\System\GkHarMd.exe
      4⤵
      Executes dropped EXE
      PID:3772
  - - C:\Windows\System\YHjNmQg.exe
      C:\Windows\System\YHjNmQg.exe
      4⤵
      Executes dropped EXE
      PID:3512
  - - C:\Windows\System\spgvHkX.exe
      C:\Windows\System\spgvHkX.exe
      4⤵
      Executes dropped EXE
      PID:3444
  - - C:\Windows\System\vhLKMCH.exe
      C:\Windows\System\vhLKMCH.exe
      4⤵
      Executes dropped EXE
      PID:3684
  - - C:\Windows\System\wbDzikW.exe
      C:\Windows\System\wbDzikW.exe
      4⤵
      Executes dropped EXE
      PID:3448
  - - C:\Windows\System\rFsoxpw.exe
      C:\Windows\System\rFsoxpw.exe
      4⤵
      Executes dropped EXE
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\jaf.exe
    jaf.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\file.exe
    file.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4040
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2256
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A0D.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2252

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
PID:2592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14449644431155190463-1415264886-2083368116-1111401210-1305289330-1993159112-85886479"
1⤵
PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2440

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "207382624-91590203670616082121125660201680786926-1799209484-1685588046-1406603588"
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\12124.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\12124.TTF

Filesize
136KB

MD5
c8e8cfdfffd407b745e1e780d6719ab5

SHA1
a9a65b97e92ae77b0a32ccd9cc0ef644df74c990

SHA256
7a7307630b53d9752816020ace0f44e51c73632b83413547a5a6d0f2c2358aa4

SHA512
2df662821dc5085bee5cfd5a60da0833a376fa85e4a2e0afbde59667fd5588ea0042c3ee7f48efef8a107f2c7dfc274a6888c436d4c554b878ad4ae716cc2247

Download Submit
C:\GAB\12124.TTF

Filesize
192KB

MD5
0a693b8dbd389ffec917b803f5bb90c9

SHA1
f72753abe717658156504746c42b1a755629c3ea

SHA256
11f8c3730d5e82bb6afc37b601fe45e19e4660f7e0c7a7e39d0a3fec03e4a9e6

SHA512
5ea6b9a2ca98f299e2f68d7ac50adfec93ed40ec75396ee2343a79ae38af4ee4365117aee028b6eab556d0528e322536e5907a60fd7f43dea6a2684f217501e5

Download Submit
C:\GAB\12124.TTF

Filesize
320KB

MD5
66731ed90e4337a449de405db4c1135d

SHA1
5304930c56244a97350cd67196bc187a229a5371

SHA256
5fda15b2870417a80c151f0a09c8db917ecd196d56f78f088dbc4be02d0df610

SHA512
1990c76e082307f62e57ee23c8f2c564a14099738a1c3114f490a06155804d91800bb0c8baf12b651b91055547b783201a7c22c1908ac06863d83f8bbaeaed5c

Download Submit
C:\GAB\12124.TTF

Filesize
256KB

MD5
594cbc2f4fad810908cca286513ffe2a

SHA1
3978a7e35df40b8bd9fd9552d1a190fdffa9cc8d

SHA256
74e0b5a9faed5e7fe550f8ba7dc200b6a39a461052c8c56fe13d9b2a74810ffa

SHA512
f7623a944f9bb47c72f378bedfee38f61e6be8411ae6b4be037fb12eeed243da1073888d78eec9a967716a813e7b7e76081e63fdd11102db8fb83d172f859df0

Download Submit
C:\GAB\12124.TTF

Filesize
64KB

MD5
2fb751c5d01a8730ccd606f2cb7f1cc9

SHA1
adac577ecef1cf4a707489062657f9cb5548e779

SHA256
d85cf5e32aa70aa19c67bc7399aea3c1d3da0233941dc69cbd75f969813b0ed1

SHA512
e441987977582e50190b661d6bc79cca1219100edcd0756ca3164eae33a802e830aa4e4208ac9ca994dbf4c7d0aaa88416df06a3ba4b00852be52309c3980405

Download Submit
C:\GAB\12124.TTF

Filesize
230KB

MD5
5b536b9b1f28541888176c236178057f

SHA1
e41e28d0c7d48fc58638c59839dfc08302d3eba5

SHA256
1c1e219f774ca60bfbe8945c39a3652a869193a6b0dd94b9df83c9c7b447da37

SHA512
ef3fb0094ddd4a064e1ffa4d4dd048247025cb3623f01c5eff1fd3678dd0e034645f7ed8c23afb21d98bdbec03f2e6fa22b851134eab949fd23163f7cfc52eb2

Download Submit
C:\GAB\12124.TTF

Filesize
95KB

MD5
4fb4a2f74f31ab19c4e84e68fbfb856b

SHA1
447736514db2b0fa70be286fb7f570d38f038adb

SHA256
b20f47e9d886735d6a714f18d8edd690a02b0bfb86cf1952627d66f1376a755f

SHA512
6b9a8a2e38dff1f16e9a8ee640ec7d9e54b36c986907d9f370424c6a9dac635fdd2d9dbc85a9f3776b5b3d21675894c8ca0c0b51c813e1591428b8fcd1b5d096

Download Submit
C:\GAB\12124.TTF

Filesize
64KB

MD5
8343727082ea421c260d3d9d4c91dda9

SHA1
8d769d4404f3de814ff3d2b936080a215d6d5608

SHA256
1db6cd7959ce76f1580495c7f87ad7cc2e6489d1fd20ae6038f7792ac593492b

SHA512
7289e9f699cbe10bb624132b85afde02c48a9025a924ed30af7c2029ff3509c6ce9b89725a8f4639badfccc069691371dd21f757bb0ea248d696c17bc44ea7f6

Download Submit
C:\GAB\12124.TTF

Filesize
256KB

MD5
92da2ed00325caf48d45b9140a60f0cb

SHA1
532f571fa9bbe2b72b8521de758f79a315416831

SHA256
135c532cd4ab93a6530e5159adca85b3f5de294347fb690dec91b3956a4b7a2b

SHA512
60b993d82665bf984d9a0d2dde42ade937044666df32f78c0e1726edc40dde792ce572fd0a2cc01323208525ff7410e6e160bf33390b16f56e8cca122c86dc43

Download Submit
C:\GAB\12124.TTF

Filesize
50KB

MD5
34a1156588649c61ea04538baaeef237

SHA1
3f3f5e77146f7ab00ab137e52fbeedaa82755aba

SHA256
e334bf287bdf4211fe5958c4926c8ad4ddd3f44f5fdcb2d9dcfa1394186d8132

SHA512
10b011cb0532aeb2fbb637cefe22649927c0b8176c3fa2ce76c0d5683a68de7ff9cb0b0c4c279241c88f7784d6b46b9ce71b23924fb706bd282e05a1c4829fcb

Download Submit
C:\GAB\12124.TTF

Filesize
448KB

MD5
94edddd4cfe99b1901af05d679a367b7

SHA1
863680c4dfadeb7077d067b46159079391f3d296

SHA256
78c60771dfe4e1e7d876c38afcd1dffeab1c41edb38b48c62dc7c4543b21c831

SHA512
98b0026837a867e9069952f2d303e54ea059eafda1e15172c80aafa5e38906fecc52872255a15922ec582b4a561db95b301383c596ea50158b0986c78f079107

Download Submit
C:\GAB\12124.TTF

Filesize
320KB

MD5
3c0cfe6e48b4bb599df74b286e0152aa

SHA1
2d24b7f44d7ccf6d28b1058458bba8dff9b9e69d

SHA256
c5abd410c609dc4d70e2a0a436066ea63032f5ff3837d0c2ba270e5391dd1762

SHA512
2a39859d2b5ea6a1a466d19c8a11711bee47e014d929d7945213a680736899bdf3aa4be08c7999ee3ed958a157e240ae039bfbbc0fc478ddb51da96ba94fd82d

Download Submit
C:\GAB\12124.TTF

Filesize
129KB

MD5
db545a2bc801f03ad8c7ced97ca9b235

SHA1
b49c8ac055e7f472ed104ad7f22d8767f8e09330

SHA256
3eaf9f100e83e6349309f2907bb1760c8f16d7bb3da2b0f2593f3ade4c2d1b1e

SHA512
5b8c324a4f5f0ba4253678e0220c9fa4aec0de7c14d5c81275051ac68b5f257a6a8297ab357297c4d812c851b4d58355994c9fdd3df1171b1450142b5e075ac8

Download Submit
C:\GAB\12124.TTF

Filesize
52KB

MD5
da7d0632677782c7c4dd8b201ce85a8f

SHA1
5cb7456fbc6be038b5c44f5e4689ca181fa8b82e

SHA256
0f9cd250887e38b99ff7111769d249daee8634c2c875f49c3599017bd2586aab

SHA512
31c755cd6c8db9e817ebeba9ef8f881c554149250d389c7a2d94738b4402ed04253d91c338e304dee104da4e02b99eb84b4c75b2cbdde33f0d02f17988d96c09

Download Submit
C:\GAB\12124.TTF

Filesize
640KB

MD5
5d87fd8d4f1144cf2fbe7111d8ce796b

SHA1
4cfa1e77e6dff39defaef422c932e2cf5a9e97cf

SHA256
ee7506cdabc18858352e8f7aaa861b96341ba42214619074f76868762d2cd016

SHA512
6330f59576b07de9f1d0809006ee211d7974be2696979cab47a85a67410632b7ed3abe0fd7618f1556fca4f391249684080e6bbd376ef47c1b2bd0046b0aa49f

Download Submit
C:\GAB\12124.TTF

Filesize
384KB

MD5
5632b9af8b443848533fee3ee2178550

SHA1
77805e504c7ac017249c36a7863caaa56ed63f98

SHA256
11d967d8953ae3396c9e8d8683e84b81e06eead35e61f5799434909260b4eaf2

SHA512
5189902ec580d33ffd6f2aa87fe807d81dee43a14843d77e2310889e6a6a1b778a05f1d53084e52a5f6746827aa23d4ba397a4b11717c15fd7a6de33a297a987

Download Submit
C:\GAB\12124.TTF

Filesize
384KB

MD5
c63167e0f32764e9ce4f23a47a05d681

SHA1
48774ce67dffc082f96529e5a644a1a2279d3c84

SHA256
62493a392c74a8c8c57b9ff32febe9f012929d5571c39bb814c1421cbce2f12e

SHA512
2bc524df9e7a80767bac8a20c752c3b0794a72d0b098759263ed2c0fca863bbf99ae97a338b68c0c885936798dea561cbf048677b89f33a21480abfc1b1df010

Download Submit
C:\GAB\12124.TTF

Filesize
2.4MB

MD5
9a76fab2920e952d4d23370753b1eefa

SHA1
f4134ec0b7e0da18fffb97b6628f050425b4c0b9

SHA256
d3f6cb525b7f78ee8ddce0e2aafe8d861885052511ba0ceef419c3a013700d94

SHA512
529b1ffcdb9b264799f790b8b4e11496817b56147c854085e1c5120806e9306cb077e6760208c573e3feceefb7cf5c16b5071e8d8a8d2ee4edcc23c22e23693c

Download Submit
C:\GAB\12124.TTF

Filesize
172KB

MD5
2db38063f2ba216431fca36ace404c81

SHA1
cd069f95e596aeef2a05e715d6b74d5066973185

SHA256
99c12127c9f5acfd100338a116d3fdcc94693510c3571a4c04fdc6b52c9173fe

SHA512
76e28724ee9adf03845b4b2905cba58c4d0630ac9545a5c025c3215b77cd0feb502fe68f0f7e7a0fe8bff1901e7ab5c1d9eab9dd1e25775868f92cd9ee9efd71

Download Submit
C:\GAB\12124.TTF

Filesize
170KB

MD5
f78be05df653823ef8a45288ac3ceb7d

SHA1
7ed2915ae98ffb501050f4b38e24fcc919c2a9a6

SHA256
e1571d8df7bd74f2c983c17e6572209372291d87106151c37fad0f726cecdd88

SHA512
2786d66736f755de7b299648e73ef72907386bfdcc1937106e099e798a550d37982087e11f98109ea36a9596d4c0633d54426b8431a74cad6863db97852ccb0d

Download Submit
C:\GAB\12124.TTF

Filesize
71KB

MD5
831102b16dcd2ccb645fa9ed60178108

SHA1
cce031d4ce95e9ddd3925a1038e4a00cbed35d10

SHA256
55f0c20e67ec3a1657c6db909597641572aa50429513d413cd54b156feda1ac8

SHA512
7ead470e20c57ad39b63f2edb417090cc1eafc0d41a2d224977848fc189e094be21dda32d8582b99f4d908f801de1284b6916fa3923baaa23ecc33560076ea06

Download Submit
C:\GAB\12124.TTF

Filesize
233KB

MD5
8880fe9b1114ec2af3aee5e5e3e30e3a

SHA1
a7d1c1a50a6319292426513c96d155f0e8b55ed8

SHA256
ccb736bc0998104ae0d66938523b036596afe7d90f173bba8e01a9ba5795302f

SHA512
ebd602b7dd2f1be5641d07b46c90b922d046d57e48477eb3bfa0f4d1662357faa9f817cc385b6d9116d8e887b300f9147cf7273f322988d987bb14e2122a3679

Download Submit
C:\GAB\12124.TTF

Filesize
171KB

MD5
b592a65e85d41f51230958c04130d340

SHA1
278a4278161a0a00a6af0d204d7876027fff8d2e

SHA256
bf2eb7af0acdedaf1984fe2e68c1eb5dcf69798c4161100272d086701e6b10cf

SHA512
f08c920f69764c1a07c1fa8a8e810a2b3930db45c5609043db240238581f423e8296a65d85d404ca2481e1a51ab52d47986c5144035d6187b149cf5ba6ce76c2

Download Submit
C:\GAB\12124.TTF

Filesize
118KB

MD5
d1ac2480838a258c7ad93f344c8c2282

SHA1
81d286025bd69343cb19dbe903d931cdda9a0f2f

SHA256
0d5b9d3ae202e488d5b90e090b26c85aebba0ab9387c7836abcf490bd998cf45

SHA512
ea397d3e1a8ffcbaf1d674b5f86639fe7eb16d123b76084df7f177cd749ede6602575d42fc6d09bfe0c3d3d25d20b2cc8d2b91ac8986af6db9e4d3ad57deb079

Download Submit
C:\GAB\12124.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\12124.TTF

Filesize
896KB

MD5
5bb61df29613ccb06f160502c6acd140

SHA1
7e0150c5488df4044805139e8dd38f3fe686db40

SHA256
5a0ca3db9fb2df70178903666d5ca78f5d2d426a57a38e54031960e90f152a0a

SHA512
86f803056d3f30243cbf8a08a795d9aae5850d460a89b3ac4ccce9e0d502a64ee7c47181f553e7a6738a858f5ae9d46b74862bfd33d86503a8f907df446a3355

Download Submit
C:\GAB\12124.TTF

Filesize
53KB

MD5
9ecec61376083fd290b75d94fdaca380

SHA1
dd637614eed073f093391c2b7b8ff80699da755f

SHA256
529c972a6d5c1992c76e908255f655f98989b74b146058c90555af6d925a1715

SHA512
d3d0262f12c74f347c4fc651248a74a34b12f8b027ffc37560de697210973d3abe8c0a5892d7f4bd3a24b1207a0bce8dcf7393e3dffa0096da7551b78ad8b1ad

Download Submit
C:\GAB\12124.TTF

Filesize
78KB

MD5
1012dfd260bf0b2ad3918cee622b0a0e

SHA1
e2e9214f22241131fde281eff18eeed6eb7c1676

SHA256
37194e3c2d5b000443d23dc324b1367cbe2be40f28c2a6c693e6051210432ca3

SHA512
57066fd9e0e0f550287d043c3ac1b2358475ab10616aa2e22fddd1a1eb471ff8e142dd5b7d713a6539ccba78519ac0bf608e2a68c9979984fe6d6dc35ab9f59f

Download Submit
C:\GAB\12124.TTF

Filesize
117KB

MD5
122ead7aeb90fa9af7461449e3ef6321

SHA1
244a51e44c86d7fd921643d4427bd706ee1a4a38

SHA256
dc44d4e53ef9ce894d225d2711e384b7d6ac9f24327c5086b4e59d0f43417b69

SHA512
c16f22e16e14b2366bb244b6dcf588ea78502e1721fad36340fd4f589460b3eb071d5daabcd09681ac217912c462b4167f295deb9c38a12eee3bac714bde60d1

Download Submit
C:\GAB\12124.TTF

Filesize
356KB

MD5
4469b7659ee4a9c5c553d665387656cb

SHA1
5388a4b0a8475afe854b82e3cdb1fe5a4899736d

SHA256
cf71a24517d39d7bc1f8d85bf0f1ad4d8b06973e56c503aa7420def452ee9111

SHA512
fecf5097dcb1833347b6ba45f22388e57d83e91a495d66124228979bbd1da2c64a75286a76b0bdf28a2d90bcc7245ddec39b114a514007b08ad7f900b929cbb5

Download Submit
C:\GAB\12124.TTF

Filesize
356KB

MD5
4e16eb4ac91e44dc73abd3a7d4ed465a

SHA1
c51ad3d4d5c5e83cd522428a98bf55009a146508

SHA256
18db132c539323badaf0e1c9ceffa497e1996946a8faac26cc5fbe6fc8233314

SHA512
befb6c55f754b11980159a040e96a425ce5f911e277655e3ec77ea78d48ce6921a4e1cf36ff49aa09171449b1723cb5c0a33fe76a97f55c01f6ae07902586704

Download Submit
C:\GAB\12124.TTF

Filesize
430KB

MD5
5c832621e68f18ac631ffd56f42357b1

SHA1
0541f4f15192e5162221897f4a7077feb8fc6e2d

SHA256
da5a7fb236abfcdb6f50246e95161f76d87156e07170dc3ed96ba48caf0a4ceb

SHA512
d3615db3175918e8e91806bf8f8694f1b38028376a65dc559aa6e027e080910adca63e0c7939a32918a6b3f5e1cb58ddb87de0784ff5c11cbe6a83fdbc52b914

Download Submit
C:\GAB\12124.TTF

Filesize
384KB

MD5
4b6ef1fb765430e44478ac7dbdf091ce

SHA1
bc15b0da7d00a3696f6c7b772feec85720341610

SHA256
ab9cac40a6e984ed6ce13587a563cfd2c140f497d096efd5c1a4029179a283f7

SHA512
7840af5d5fe33419b85aedfdf6a43c2fce4a4bbf6f3c6ae301d4c6098348b997d98484283e9140f5d0870c1e7cd13b7811930722eb6c9a107a23186b2835f3c2

Download Submit
C:\GAB\12124.TTF

Filesize
67KB

MD5
c0723a1d718ec801e6f620fe9206ab98

SHA1
99e16092c46b4349291cf0b803f14feb853907f1

SHA256
6a9f05c648e125593549f4fbc19ad3ffefc27b30e71eb28ca9669ab5e5a0c8d8

SHA512
5df80f41836cdb1572535e5644804b70720a496a4b3819d1fe8c06164dafff3d02f84fdd0082887b172fbc4108f5a54eb649096c7ac6f33c04385be0a56853b7

Download Submit
C:\GAB\12124.TTF

Filesize
64KB

MD5
fb6ca959de5f73d25bfd26e69e0f56d9

SHA1
8562dce405026b7c04f0f9e507582c23ac2d5041

SHA256
f8fbece9174a21656c2acb26e598c2777ef234eadef9efa807f8ffbad8c47393

SHA512
b77f442be030c75efe6a8556adce79e691deca689dc48898d51be7efe5bcfcd9c8db0c4a0c74f238572bcb6b7f2e144319ec7d3e3ec94ad069c73174818bf198

Download Submit
C:\GAB\12124.fon

Filesize
6KB

MD5
ac2aad216301bc75f750ac93543c941b

SHA1
0a9a8a43087b94e829801287c7bd44ae49553935

SHA256
b904000ce079d3a87698a1e16d82f944dd49fc77e9326e698c9c402f2287133a

SHA512
c9f113198a4e713141e80343ce38306899cc2df78373630215de2ac4acc80753bfb36395f66b7d28a7f1f28628903e01fc6f4925ad09e22f4b309cb83cf5f206

Download Submit
C:\GAB\12124.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\12124.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\12124.fon

Filesize
28KB

MD5
dbd3d8fc37414e352aba805a7ac4d209

SHA1
70a7eaded9a29c96774e69e1fa04823f96d1ce62

SHA256
3db519d02b751f890b5f4a92160ac240c988c9a88f9f0f823b5f6763a4c56ded

SHA512
f473f0b1fde4fccf87ee229af40aa52450b8e1b44736f0165ae606f3ff63f8bef0ff4ba9560d062f1fae4c630a74ad04ffcffd039d2c1404384c7e0e91f4bccc

Download Submit
C:\GAB\12124.fon

Filesize
24KB

MD5
7fdc5a1e1b63c56267320402c42ed983

SHA1
5000fa8de9984acd6527e482d498272c31aa2501

SHA256
8d8ccfcce003de503f930ff9b564c75b8f044b04f61758390a5d7a48df583470

SHA512
def458372a70f849359ad322fffd383421e5328d7e8b40290bed5074899c5a4f7b86a35cfcb009683328d649b0f615d6d638f9b237c607589b6a90bd6d55ca8c

Download Submit
C:\GAB\12124.fon

Filesize
28KB

MD5
0dc2bd4e86f1a477f68e7043cb442015

SHA1
ae19367b61b4a2083c091fe10470c736355adeb1

SHA256
29bb8f342406597a6c39408093149e5c6557fc7ce981d1e68a3a67e90b86497a

SHA512
7167cd474a7e983d8b2943533d0aa686778ca8a8753a2941f5aa8c761dc10a04443355ed505115bb6e5be03242cb7653ccd4c439def94581af88c885550caf12

Download Submit
C:\GAB\12124.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\12124.fon

Filesize
7KB

MD5
504787028b2f17b347757251928d85e3

SHA1
07692f6e9cdad6abe062a6dfffdffede8afdb3fe

SHA256
bdb602af5d05aee105eef316127ab4ea6a12235d68099a52f53ad9460690c185

SHA512
8ddac3202a2ac495bdfa7be0bdd8d2081e18759480436e5679cc42204278fdf88ff153396df5a74e2563a2b2c025a731de93953d6ae85017c84f458af483518b

Download Submit
C:\GAB\12124.fon

Filesize
7KB

MD5
6e78ea1629ed74deed4190d87aecbbea

SHA1
c1e6e0eea7d9e7b7e693530ed43cc271567e5bf1

SHA256
9ae1c525224824cbb209b46c64d19cfac121f1bee266a9924ec5319f7ea45295

SHA512
60be03a64880316b9d8c1dac2e9884dd1bf764ceba0be2c47a114cec20c285f6a925dcfd4f1f855f863775e6896ad8e9239ed45523ac317c4388449dd93509d6

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
e5f5a5502d3f7c6588288c0d9696fba5

SHA1
449ef97c8b704591518c996bcdd872fdc1639259

SHA256
496b3a671d898d7f451831168af63160c7bdeea47d6ef023fa7da0943744d355

SHA512
d51202eaef95ab84ea4142035aed42c8a99c09e1da175a72ef9b2053c93c3bb3678fe02f22916518703054e5eb51a617c5ac29cc1c72562d8cea7359d29974d1

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
6ca95c4d80777b01c1c83508a078f465

SHA1
cf7252f08718a7c3b7e2012183222db6fdae83ac

SHA256
011326f65e151d83c157ef6fdd23a2d851e8d0f2662d8409ea0b4a142e343a13

SHA512
74641b24f3dc1e5347c8c3a1a5fac7e8c33faac2d21482add12dcabeace5b11503e963ad2b8fa4ade71ddc7ae804f9be4d64d8fd95f1410db2495bca390e05a3

Download Submit
C:\GAB\12124.fon

Filesize
6KB

MD5
a38ae433b0e7a6f039e5258d1864dd88

SHA1
ee7dbcda95b618cea7f7912dd8aff47a3217e554

SHA256
ff5bc967c1a565f42bb0a02f43aeb7e5c2333cafa5b75e7a3339cf1aaa5883bd

SHA512
6124c8a802521dd5939d8f4b7ebdd960bcbf7e412c85e4dba2767c508a87306711c77e24e4f91c84596d0b3531d3e5e8329b74a385f63f04b7b34678e7de40fd

Download Submit
C:\GAB\12124.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\12124.fon

Filesize
68KB

MD5
5e142e4d090d689cd44fa8fe9882a743

SHA1
0301f8c9422f933c9d7a65bbe4f7c45feb4fef24

SHA256
a23e6b523d0e3d16cd197e5a525e3f299144577dbdb860ab91e7c14652aad3d4

SHA512
23f77ca93a178d4fdecf54ca1cb6cbc8d6c816deddc630d90fcaa5f3d028a9db29301d32b200c70bcbeb94c8491bd44ffeef51233cfeb011e2081825b167ba16

Download Submit
C:\GAB\12124.fon

Filesize
17KB

MD5
08204b8185f06076e625401e4ad1dd40

SHA1
da572b8772aa5b717d481ede5550b402668e5da9

SHA256
81538026940fedac874529cf77980f0813c8a3ab3264e06bed007a280e224ce7

SHA512
0f6c45de3c40fd82b36c1535130501dc1221b75bedb9c9c1852065d9592dba301a1ab51f2c837cebfbc36b40c6ed41a5180f401b8561311522e24a805b37ce3e

Download Submit
C:\GAB\12124.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\12124.fon

Filesize
32KB

MD5
b6423b832dbf011afd29bb69d2707ced

SHA1
90a98d0ab2d8c381e9a904ef907c3ee9c8cdcdbe

SHA256
99d928a0c64c405be87abba5e48b4493a224eb0f0c925a3343a4fa6a6aee1bb9

SHA512
f6f828bcd981798ba0af200878c562ab82bbc29f50d451dffd5f4e9fa41ece36bee63b86d1a188f308e24ffe681afe0a11f766b41c1e9c3b7c9ac3bc059d7ae1

Download Submit
C:\GAB\12124.fon

Filesize
12KB

MD5
f319dbb4098519ac71cc776b06a88f66

SHA1
80f2d9b484d93e0e743b09e4666230d2059f75dd

SHA256
5ddc4fcbeeb13a81e3060ea62b1e168f447545012273bc2019940f47cff09c20

SHA512
33d949d412c0fecbdeac49d7e5ae8a621a28a5ba8e8d7a7bfe64ae8ec58ec777b8ab31379705b7fc0f04588ed72bf4e24b6ef4ee7628d11ca1e1fdc040271abb

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
c27256b57a80ba1b00f492e319faa36d

SHA1
4c20a0ba4ff944fbe459e44764ed92c956f9df78

SHA256
335f7722e371a57fd169efdb554ef8080d8fb13dae8270ce2b0116079da27371

SHA512
4de2217e068d2ffcce2c6c2d3deabccecbe2a23d564bb34cd5f85a736c679e80ff139d6cea3c6132f3f681b5f41e927ea228b31cfc143aaf6533c67ceae5d509

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\12124.ttc

Filesize
14.6MB

MD5
da88c7db4d66c1b3758fa672e06d8e10

SHA1
37a57d70c6c3ea8e5ca175473cb3ad6f51d62b95

SHA256
dc1228d7ae83948552c2652553a51cb231cbc69282e6f0b0cb08831f59474e97

SHA512
4b08ed9385ddf5a6bdc02535db9dcc7d16743cdd78fd1cd69a6b814655535944f55bec64cf6cde7b4f2e7d860b39d2e0b28454bf0ec2f3db7341746bbc3dee81

Download Submit
C:\GAB\12124.ttc

Filesize
14.6MB

MD5
8e2f7884c33c9fcc4831dbee1e2ec7a3

SHA1
a2ae53751b566facf31cf697ca5411b821ef4e85

SHA256
084004b1f64d454412c48bef25512a6963bea9bed5b5030e747e95dbafba1562

SHA512
d5f24ab07a2e4a8cb39038cd06e8e6ac63c9a33839f71965f300d7e207ed7fd090c0b40812cdf284ab84fc4f5d4900654f1b3b85b9538d1f9f7598ea38da153a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
d777ade66d20ce660cd2ba1a8d2de598

SHA1
ed6c35b85f0ef7d3d4b446a9beda312e12a17040

SHA256
d67681f81ccd6a9ea0181b46e2e65c4f5b6e8613d52abdc21981d2ab5d0d71d1

SHA512
6a51f80f3010f6cc2ea2e5a74c4f45c60cdd5edaa9f2c2bbe979f635049da016a35992ea30c75f72a15ef04ee2d5fddaaf35b01ec8e8bae281a80d70aee42e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5621cfa8544656675d6e22954cd67a04

SHA1
43d8eee36ecf5c2ab3e8b3f3596e5e5c6bebd857

SHA256
3e593c445fd38d5c045c08a3ea6632161b0004c7987dc7b12593209d1eb217e9

SHA512
926ffb0e7c04fb25cb33ca56c9f952d6934ecb6f4ba842558e95a7f1dd6ffaf8bd7e1d0c4fb6934f89d416c4ffa1ab59505e71b3bc1d745ab7eca03524bf71d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55f1dce7bca4d8ce1b2e8ba67a35d255

SHA1
fefb9ab6df1c697b8cd7e4aa04490ad4570618fc

SHA256
3f72778592822e185c0405dcc59d57247284b47391a83f885215fc8c887a5d96

SHA512
f108ca8ac7a288f5f6be0870c8a1330a5c2c84ea32a7cd756c1345fb835890df2b5a566ba8c59e914eefb7b0f35e73350212cd538e738ebd7472fca9406bab37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
435745d0410c3d592ed94f5a0d80cb6f

SHA1
08bf503163dbe82bf0b7eae2e763fbe911abf7ff

SHA256
a7653d093e10aa94e3f795ba734d7e0933150caa59bf6fb48e5910a9b43c12d0

SHA512
a5ae803fbe657a97f174c8114340d2d7eb494e631fe43254618b4d25345cb81f93e1c81962be8f7644860c17a74bd235ab0d8c297f7462f76dda3b4570303735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcba6c497e08f9f85903b507f88206c3

SHA1
a7236b30927a62b51d446439420d5ef42216e9cc

SHA256
c093687015e8f9cdb760a5e71885793fce39d3dcd4fda5ef0fdd569eff477238

SHA512
b9332f01598baf83b4c013a88e30e9ae149383cb09ce466886d9f0ef8141a6d7e862b4fbc80ea2115ae0cb125b7c2e0147dc1198eda9451ffebb78ff51352d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91ff4f13ce450ea13ebfe64ddf2cd1ed

SHA1
70b059d201cc935656ebc8ef8ecc008f557a4e56

SHA256
4b1d34902e3a5c8c34410be216ceed010bfeafd359e423157ff5e6631cc401b8

SHA512
bf570a6958fe6b918c136af7aa69e78176f9ebf69885beb961726d998e0fea6541ea838feeb5af6fadba2cb6d98f0c4343fa03220eff2d4d5e6ee41ffaa44c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59661937516e33081c9f18b46fd6d7e4

SHA1
f023a1d4c9788494e877e38245ad6eb72cf10e28

SHA256
4ee7f995767875b6f45d27717263a8350c668839b1296598afa0dfe4116e1883

SHA512
c6d09b605f6c492c0142cf7cade70749511479e489b6dbdd379d188d1bfe07a06c0faf95ff36cdd18298fbcd8a3fa3d5045eba247ed7320cceedd131fc9309d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9bef2f49b1ab7c56efa41d0870c641d

SHA1
4ee6108e272d1b12f4f43c2e5adf8fb6bf8418f4

SHA256
3fe0dd2ed1c400d3d41509b46b5a1baf36932655b1083116b3b914f1bb9f96db

SHA512
6ec2e4c3f47e8c73f22a57f4128e2fc2929367aa2e065f866f9df0a17473bcf20b9d587c162c46564c19a685d928c70872c0f4bc71c28719a55a0dd4a969a797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a2eef7ef506526110dda910ad4aa5d0

SHA1
b11fc20930606fe6dd255d5b731398314af77257

SHA256
2f84142d30a2470d40a48ccb9713510ef6bb304167da77e50108c3da4520691b

SHA512
ddaa7bc95a370a80a8d3526334fbaa06b68b994573b43adcaf7787089f634678628acba155cc9edcab994c39bae2cbe386ba303d77d1b0253e9d4144097f8ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8066b848f3b32c6fff8b2970dd56f00f

SHA1
4a26a2d08ba7921d7e81912aa4e5f111dff3f190

SHA256
49d87852b574a36792a8bd8cc4070eba4c1d8b203535d5ec947ae1e83be27d3d

SHA512
cbf2e5055ab9c87d7025829afc30721559573200db00417276bda5c62b4f5dbdc95a4cce1b944a9be47b0da9ad0bc07b9ef30043b4f631ad0b4c5025d1dc7ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0653ee6249194ed1178072b4aa433391

SHA1
ced6007632261673c34f9e42c912364567ac35da

SHA256
a28e87324b93cc20321543e91f304f296f0302c111b944c6fd897958b8dc69ca

SHA512
e3f7c63f7b0ad2b3d2ad7afd92e87ed7886239a4c8a75c63b15ca783ecc8bd86ff9a65fdd65452766f976a0b231d3696ab7239190fd5be3995bb903518f71acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA954796\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC9D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD0D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\!m.bat

Filesize
1KB

MD5
d295fd5b892b165427abecd1b5aac987

SHA1
ec1bb8ab7bb5ffd6d1c971fde332dab00f78cf5b

SHA256
855a00d99d2cb67512ca1fb49a9954bc085ed9ada3a2d2226757bb347e2cad58

SHA512
800d97dfdb1ef9923c82bf31a77b4cad49bf886aa055d5ee7f4396bc6bcd597a9e638ccdd1cd4878de7d8d273d60228604f97ee6e5b07668002fb08e9636f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\VCRUNTIME140D.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AT422.tmp\butdes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\tt-installer-helper.exe

Filesize
404KB

MD5
5b4c8e63be988b83b09e13e9d1d74bb9

SHA1
bcb242f54ee83f232df6b871aebc0f3d44e434c6

SHA256
8ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d

SHA512
a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\~execwithresult.txt

Filesize
77B

MD5
e7cba31f266903b1154d3494df422912

SHA1
83155787a007a3419e37681a379b5e5d6c3b9515

SHA256
1e4b930f9aa48b9141eab3619033fc9dda23f72aae40cb545823265993304d4e

SHA512
24591ad5bb0607d44fe6c63f5d3beed47f7856e73651119c673ad18b6e1ece5f8472686f7e037e4b10ce309fcb24d2569e957153e1c7d7b2ac282f0df74fc59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB924.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB924.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC60F.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC60F.tmp\FF.places.tmp

Filesize
5.0MB

MD5
35b6001877e838f67efae4cfc185ec61

SHA1
e284cf065d8fe9de6307d9c5c0305e8101ba7dd5

SHA256
3713eb7e64c60aa293773611519b14e63b8d1f90355b262516697e8bf6b8b80b

SHA512
55b5f734048c622ea4547232d459fa4f3e33a122a437da55f9fa5b946f6d4cfe4dd2beb7f5826af2b968cac4dc7e24b5d7d22bc33b10efe90d5da7d547416edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC60F.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC60F.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4WYT3IBVF7GS3R7QYKOP.temp

Filesize
7KB

MD5
8fe07e3b97e96bbb26ce5be9942b6265

SHA1
7a08ca9302c973b44bf4ed1e329e0ae3649d9e5e

SHA256
b6c43c210a42b3ff644c3226b1af0b41016be491ee51ef2e6eb49b5ab29af92a

SHA512
e18edaaf98a91df705e5c6bb0c5f410803ddbf6fa7d0b3419a64e876a67b53b68c1380f16a98843d62651c36b2acd7dd17a25f5bd6daea10236794e311a36b1e

Download Submit
C:\Windows\system\LPwMdtt.exe

Filesize
5.2MB

MD5
7bff5ad7e0d54b4ab47cfc4b9e0a8a86

SHA1
df508aa0b074c8abcd9593f27be776303ec2a34c

SHA256
55488f1d0cec8efab886eacb7f3b43fc0a564f2b0f1bf84bcabba71b1a3acc11

SHA512
862a482fcd6db4a23b8ca5e8215b0149cee301b738acdf084811c3baed196a269f2b22833606b3ab0bfeb94e78e5e0eed35cbd90ec0caab4d5b689a56d149b8a

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_453426f8-fa1c-43da-bd37-9f03be8fb1fb\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
\Users\Admin\AppData\Local\Temp\is-99SPH.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDMAP.tmp\is-B7SV1.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
\Users\Admin\AppData\Local\Temp\is-TVHGT.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB924.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB924.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
memory/756-2481-0x000000013FED0000-0x000000013FEF6000-memory.dmp

Filesize
152KB

Download
memory/756-279-0x000000013FED0000-0x000000013FEF6000-memory.dmp

Filesize
152KB

Download
memory/784-2708-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2660-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/784-2615-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2714-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2713-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/784-2618-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/784-2606-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2620-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/784-2632-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2711-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/784-2710-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/784-2719-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2653-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/784-2709-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/784-2720-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/784-2706-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/784-2599-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/784-2602-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2593-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2586-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/784-2705-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2700-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2647-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2649-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/784-2654-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/784-2695-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/784-2655-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2656-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2659-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/784-2694-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2696-0x0000000002420000-0x0000000002771000-memory.dmp

Filesize
3.3MB

Download
memory/784-2567-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/996-2460-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/996-101-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1144-2784-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1144-2608-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1240-2721-0x00000000054D0000-0x0000000005552000-memory.dmp

Filesize
520KB

Download
memory/1240-2589-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1240-2581-0x00000000011A0000-0x000000000128A000-memory.dmp

Filesize
936KB

Download
memory/1280-2461-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-108-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-2780-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1308-2596-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1316-2479-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1512-2524-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1620-293-0x00000000011D0000-0x00000000011EC000-memory.dmp

Filesize
112KB

Download
memory/1620-1717-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1620-1716-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1864-2525-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1864-154-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1952-2801-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-2657-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-265-0x000000013F850000-0x000000013F877000-memory.dmp

Filesize
156KB

Download
memory/1984-2152-0x000000013F850000-0x000000013F877000-memory.dmp

Filesize
156KB

Download
memory/2016-2663-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-2802-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-1715-0x000000013FC00000-0x000000013FC29000-memory.dmp

Filesize
164KB

Download
memory/2064-257-0x000000013FC00000-0x000000013FC29000-memory.dmp

Filesize
164KB

Download
memory/2252-2746-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-2734-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-282-0x000000013FDB0000-0x000000013FDD6000-memory.dmp

Filesize
152KB

Download
memory/2276-2511-0x000000013FDB0000-0x000000013FDD6000-memory.dmp

Filesize
152KB

Download
memory/2316-2535-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2356-2792-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-2638-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-2585-0x00000000008E0000-0x0000000000902000-memory.dmp

Filesize
136KB

Download
memory/2416-2583-0x0000000000E10000-0x0000000000FB2000-memory.dmp

Filesize
1.6MB

Download
memory/2416-2584-0x0000000005000000-0x00000000050E2000-memory.dmp

Filesize
904KB

Download
memory/2428-2790-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2428-2707-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2428-2619-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2680-2523-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2680-135-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2728-57-0x0000000001360000-0x0000000001552000-memory.dmp

Filesize
1.9MB

Download
memory/2728-277-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-56-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-2478-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2876-256-0x0000000002310000-0x0000000002339000-memory.dmp

Filesize
164KB

Download
memory/2876-2150-0x0000000002310000-0x0000000002337000-memory.dmp

Filesize
156KB

Download
memory/2876-2480-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2876-264-0x0000000002310000-0x0000000002337000-memory.dmp

Filesize
156KB

Download
memory/2876-281-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2876-278-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2876-1714-0x0000000002310000-0x0000000002339000-memory.dmp

Filesize
164KB

Download
memory/2876-2510-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/3004-2582-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-3-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-266-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-2-0x0000000000390000-0x00000000003B4000-memory.dmp

Filesize
144KB

Download
memory/3004-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/3004-263-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000B40000-0x0000000000B8A000-memory.dmp

Filesize
296KB

Download
memory/3204-2794-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-2648-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-2699-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/3208-2604-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/3208-2782-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/3316-2786-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-2609-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-2661-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/3388-2796-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/3640-2798-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/3640-2662-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/3828-2616-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/3828-2788-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/4036-2712-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4036-2658-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4036-2568-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4040-2687-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4040-2692-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4040-2693-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4040-2691-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/4040-2689-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4040-2685-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4040-2683-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download