agenttesla | 091fe012d48363c38f32016a497481c9a598e400f1c83bb254f5e7ebaf75bf41

Analysis

max time kernel
17s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe
Size

58.1MB
MD5

a36ccf5fb6bc5c1342371a21b33a6f0c
SHA1

2daefc8e9d7a3f7d461a9cc7a2a69e9c87667c83
SHA256

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1
SHA512

80f3c9e56cd1f9ba596c93a0742e5f56e7a44fdc678d9c3a19f0e90db9a81ed1ce09e159f61c57c566e47c428986f96bc29b7e1f71941c86961e3f43ab4dcc78
SSDEEP

1572864:TLOrJXzVj0mz3uu2etPQiWmoh8rb28CQG2Y:TLqJXBj0kuu3IDmnrb5Y

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 backdoor discovery evasion execution keylogger miner spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023539-2121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/2312-2116-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/2312-2114-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2624-2279-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 23 IoCs

miner

resource	yara_rule
behavioral2/memory/6952-2186-0x00007FF6EABE0000-0x00007FF6EAF31000-memory.dmp	xmrig
behavioral2/memory/1368-2191-0x00007FF76E600000-0x00007FF76E951000-memory.dmp	xmrig
behavioral2/memory/6908-2192-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp	xmrig
behavioral2/memory/6608-2199-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp	xmrig
behavioral2/memory/5172-2201-0x00007FF74F250000-0x00007FF74F5A1000-memory.dmp	xmrig
behavioral2/memory/6196-2203-0x00007FF7EE560000-0x00007FF7EE8B1000-memory.dmp	xmrig
behavioral2/memory/5508-2205-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp	xmrig
behavioral2/memory/6216-2204-0x00007FF7B3CB0000-0x00007FF7B4001000-memory.dmp	xmrig
behavioral2/memory/6684-2202-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	xmrig
behavioral2/memory/5356-2200-0x00007FF7C28A0000-0x00007FF7C2BF1000-memory.dmp	xmrig
behavioral2/memory/5888-2206-0x00007FF7E3460000-0x00007FF7E37B1000-memory.dmp	xmrig
behavioral2/memory/4596-2207-0x00007FF676F00000-0x00007FF677251000-memory.dmp	xmrig
behavioral2/memory/3716-2278-0x00007FF722C40000-0x00007FF722F91000-memory.dmp	xmrig
behavioral2/memory/5832-2282-0x00007FF7FBFC0000-0x00007FF7FC311000-memory.dmp	xmrig
behavioral2/memory/4136-2283-0x00007FF7D9630000-0x00007FF7D9981000-memory.dmp	xmrig
behavioral2/memory/4956-2284-0x00007FF6852D0000-0x00007FF685621000-memory.dmp	xmrig
behavioral2/memory/1420-2285-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	xmrig
behavioral2/memory/5308-2286-0x00007FF6682B0000-0x00007FF668601000-memory.dmp	xmrig
behavioral2/memory/4452-2287-0x00007FF7DC4A0000-0x00007FF7DC7F1000-memory.dmp	xmrig
behavioral2/memory/7076-2289-0x00007FF77ECD0000-0x00007FF77F021000-memory.dmp	xmrig
behavioral2/memory/6140-2288-0x00007FF772C90000-0x00007FF772FE1000-memory.dmp	xmrig
behavioral2/memory/6880-2290-0x00007FF74AB30000-0x00007FF74AE81000-memory.dmp	xmrig
behavioral2/memory/6608-2291-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4080	powershell.exe
5228	powershell.exe
5204	powershell.exe
5148	powershell.exe
5812	powershell.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\4F2BD24E2A8A2C9B4263A59CA0890CD22D34D0B8\Blob = 0f000000010000001400000055f526e3174ebfcb0e0a02894e25dbb2d7c8bb640200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000380062003700320037003100310033002d0035006100360037002d0034006300640037002d0039006500340061002d0061003700330039003900610037003900390036006100640000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000004f2bd24e2a8a2c9b4263a59ca0890cd22d34d0b8200000000100000000030000308202fc308201e4a00302010202104feeb2dc4b64739a4b69466fa445aae7300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303932323030333934305a180f32313234303832393030333934305a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100db9c35d95660014c0359213586f3a582aa872c2d5eb46149837e1bd413b775fb4ebbc05818e7ef79c9789925b88c09b82ec15eebf73ee20ad9efa127d62d67fb53a57d6f95515b633551b4972fdd53e8732a2dd4c12be27570d902089311e4bc19301edd4baca4a9d9af8481fa8b332d231467572b13d9f5bedaeccc86c6dfd8eecde691f0e092aeba5f4b08d1d1dcb69c3e5d031fe784fceed35b1e9855ee3e15cbac3f6319f4af907f6cdf07e081a16ccc0bbc6c7ad07229eaf954b0172e588509a5eff6f1a1a9c78d4f76741452ffa6be834fdb4ef4f257e825408ad43dfe73c6f81710c557b26f6bc8163894bcb74b6dff7f05fb1eb612404b1852b44b510203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4048564450435947530030090603551d1304023000300d06092a864886f70d01010505000382010100ba9841094ff4d8a3dc0abc129dc64eab1c41eddfd3428fc0739b1cdb91bbd758625c2b27dda375f8e961efacfe663dd9f977bafb44481355acecb6c732d471ba38ae9abf3f69e447c72d191bb8cc7dd2e4434003149061dc3321908887bd7c627ae25a2abc935c8a9229eaf3a2ecc8a3f7d156fcb629e763aa2a2296baee5649fb5303cb1e7cafed9209c350999d91aa4612b1eb74c796cf4e1f9a1da7e5fa9cd5dda15cb9ea4cfbca645497bc3ed889d1b6c4dc232e76591cd91bfb5669881706e800ab36df5846684516a196285cb09141b976dccf9ab5c1d247e5da3ba8bf7bfa0d8b2222d800352f53d84b1d556eb8c0b453fa8c87d399f628c2a4c3bc7f	msedge.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5984	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	avg.exe

Executes dropped EXE 25 IoCs

pid	Process
1736	anti.exe
2644	butdes.exe
1244	flydes.exe
5036	i.exe
4760	butdes.tmp
60	flydes.tmp
3828	gx.exe
4508	bundle.exe
4792	rckdck.exe
2244	is-NGE0F.tmp
2224	avg.exe
3784	telamon.exe
4460	setup.exe
4192	stopwatch.exe
4348	telamon.tmp
3796	setup.exe
5148	setup.exe
5452	tt-installer-helper.exe
5572	g_.exe
5596	t.exe
5736	g.exe
5804	e.exe
5888	tt-installer-helper.exe
6020	Bootstraper.exe
5556	ajD370.exe

Loads dropped DLL 20 IoCs

pid	Process
4460	setup.exe
2224	avg.exe
2224	avg.exe
4348	telamon.tmp
3796	setup.exe
5148	setup.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
5596	t.exe
5596	t.exe
5572	g_.exe
5572	g_.exe
5736	g.exe
5736	g.exe
5804	e.exe
5804	e.exe
2224	avg.exe
5556	ajD370.exe
5556	ajD370.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3716-2101-0x00007FF722C40000-0x00007FF722F91000-memory.dmp	upx
behavioral2/memory/5308-2141-0x00007FF6682B0000-0x00007FF668601000-memory.dmp	upx
behavioral2/memory/5832-2163-0x00007FF7FBFC0000-0x00007FF7FC311000-memory.dmp	upx
behavioral2/memory/1420-2138-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	upx
behavioral2/memory/4136-2167-0x00007FF7D9630000-0x00007FF7D9981000-memory.dmp	upx
behavioral2/memory/4956-2174-0x00007FF6852D0000-0x00007FF685621000-memory.dmp	upx
behavioral2/memory/6952-2186-0x00007FF6EABE0000-0x00007FF6EAF31000-memory.dmp	upx
behavioral2/memory/1368-2191-0x00007FF76E600000-0x00007FF76E951000-memory.dmp	upx
behavioral2/memory/7076-2182-0x00007FF77ECD0000-0x00007FF77F021000-memory.dmp	upx
behavioral2/memory/6140-2178-0x00007FF772C90000-0x00007FF772FE1000-memory.dmp	upx
behavioral2/memory/6880-2194-0x00007FF74AB30000-0x00007FF74AE81000-memory.dmp	upx
behavioral2/memory/6908-2192-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp	upx
behavioral2/memory/6608-2199-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp	upx
behavioral2/memory/5172-2201-0x00007FF74F250000-0x00007FF74F5A1000-memory.dmp	upx
behavioral2/memory/6196-2203-0x00007FF7EE560000-0x00007FF7EE8B1000-memory.dmp	upx
behavioral2/memory/5508-2205-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp	upx
behavioral2/memory/6216-2204-0x00007FF7B3CB0000-0x00007FF7B4001000-memory.dmp	upx
behavioral2/memory/6684-2202-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	upx
behavioral2/memory/5356-2200-0x00007FF7C28A0000-0x00007FF7C2BF1000-memory.dmp	upx
behavioral2/memory/4452-2166-0x00007FF7DC4A0000-0x00007FF7DC7F1000-memory.dmp	upx
behavioral2/files/0x0007000000023539-2121.dat	upx
behavioral2/memory/5888-2206-0x00007FF7E3460000-0x00007FF7E37B1000-memory.dmp	upx
behavioral2/memory/4596-2207-0x00007FF676F00000-0x00007FF677251000-memory.dmp	upx
behavioral2/memory/3716-2278-0x00007FF722C40000-0x00007FF722F91000-memory.dmp	upx
behavioral2/memory/5832-2282-0x00007FF7FBFC0000-0x00007FF7FC311000-memory.dmp	upx
behavioral2/memory/4136-2283-0x00007FF7D9630000-0x00007FF7D9981000-memory.dmp	upx
behavioral2/memory/4956-2284-0x00007FF6852D0000-0x00007FF685621000-memory.dmp	upx
behavioral2/memory/1420-2285-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	upx
behavioral2/memory/5308-2286-0x00007FF6682B0000-0x00007FF668601000-memory.dmp	upx
behavioral2/memory/4452-2287-0x00007FF7DC4A0000-0x00007FF7DC7F1000-memory.dmp	upx
behavioral2/memory/7076-2289-0x00007FF77ECD0000-0x00007FF77F021000-memory.dmp	upx
behavioral2/memory/6140-2288-0x00007FF772C90000-0x00007FF772FE1000-memory.dmp	upx
behavioral2/memory/6880-2290-0x00007FF74AB30000-0x00007FF74AE81000-memory.dmp	upx
behavioral2/memory/6608-2291-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\AVAST Software\Avast	avg.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
213	raw.githubusercontent.com
214	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
271	api.ipify.org
272	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6600	4484	WerFault.exe	248
6288	4484	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	telamon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rckdck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstraper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stopwatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt-installer-helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bundle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flydes.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2112	timeout.exe
6728	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1792	taskkill.exe
5100	taskkill.exe
6220	taskkill.exe
6208	taskkill.exe
4112	taskkill.exe
1188	taskkill.exe
3884	taskkill.exe
2452	taskkill.exe
3624	taskkill.exe
5100	taskkill.exe
1996	taskkill.exe
6476	taskkill.exe
6300	taskkill.exe
5100	taskkill.exe
2924	taskkill.exe
4816	taskkill.exe
6184	taskkill.exe
5724	taskkill.exe
3472	taskkill.exe
3568	taskkill.exe
3780	taskkill.exe
4980	taskkill.exe
6404	taskkill.exe
6272	taskkill.exe
4704	taskkill.exe
4672	taskkill.exe
536	taskkill.exe
6068	taskkill.exe
7012	taskkill.exe
400	taskkill.exe
4840	taskkill.exe
3636	taskkill.exe
2212	taskkill.exe
796	taskkill.exe
4188	taskkill.exe
4024	taskkill.exe
4652	taskkill.exe
3132	taskkill.exe
6652	taskkill.exe
4960	taskkill.exe
3628	taskkill.exe
1972	taskkill.exe
4512	taskkill.exe
3692	taskkill.exe
1900	taskkill.exe
6812	taskkill.exe
2872	taskkill.exe
3048	taskkill.exe
3228	taskkill.exe
864	taskkill.exe
6540	taskkill.exe
524	taskkill.exe
4064	taskkill.exe
5364	taskkill.exe
4816	taskkill.exe
6892	taskkill.exe
4792	taskkill.exe
540	taskkill.exe
4732	taskkill.exe
1276	taskkill.exe
7084	taskkill.exe
6068	taskkill.exe
5832	taskkill.exe
3044	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
6924	notepad.exe
4300	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe
5108	msedge.exe
5108	msedge.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
5228	powershell.exe
5228	powershell.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
5204	powershell.exe
5204	powershell.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
2224	avg.exe
5148	powershell.exe
5148	powershell.exe
2224	avg.exe
2224	avg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: 33	3596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3596	AUDIODG.EXE
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4736	efsui.exe
4736	efsui.exe
4736	efsui.exe
1736	anti.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
4192	stopwatch.exe
5372	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4736	efsui.exe
4736	efsui.exe
4736	efsui.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4460	setup.exe
2224	avg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2068	3652	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	84
PID 3652 wrote to memory of 2068	3652	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	84
PID 3652 wrote to memory of 2068	3652	f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe	84
PID 2068 wrote to memory of 1736	2068	cmd.exe	86
PID 2068 wrote to memory of 1736	2068	cmd.exe	86
PID 2068 wrote to memory of 1736	2068	cmd.exe	86
PID 2068 wrote to memory of 1556	2068	cmd.exe	87
PID 2068 wrote to memory of 1556	2068	cmd.exe	87
PID 2068 wrote to memory of 1556	2068	cmd.exe	87
PID 2068 wrote to memory of 4236	2068	cmd.exe	89
PID 2068 wrote to memory of 4236	2068	cmd.exe	89
PID 2068 wrote to memory of 4236	2068	cmd.exe	89
PID 1556 wrote to memory of 4732	1556	cmd.exe	91
PID 1556 wrote to memory of 4732	1556	cmd.exe	91
PID 1556 wrote to memory of 4732	1556	cmd.exe	91
PID 2068 wrote to memory of 1532	2068	cmd.exe	92
PID 2068 wrote to memory of 1532	2068	cmd.exe	92
PID 2068 wrote to memory of 1532	2068	cmd.exe	92
PID 1556 wrote to memory of 3000	1556	cmd.exe	94
PID 1556 wrote to memory of 3000	1556	cmd.exe	94
PID 1556 wrote to memory of 3000	1556	cmd.exe	94
PID 1556 wrote to memory of 1276	1556	cmd.exe	95
PID 1556 wrote to memory of 1276	1556	cmd.exe	95
PID 1556 wrote to memory of 1276	1556	cmd.exe	95
PID 1556 wrote to memory of 4960	1556	cmd.exe	96
PID 1556 wrote to memory of 4960	1556	cmd.exe	96
PID 1556 wrote to memory of 4960	1556	cmd.exe	96
PID 1556 wrote to memory of 224	1556	cmd.exe	97
PID 1556 wrote to memory of 224	1556	cmd.exe	97
PID 1556 wrote to memory of 224	1556	cmd.exe	97
PID 1556 wrote to memory of 400	1556	cmd.exe	98
PID 1556 wrote to memory of 400	1556	cmd.exe	98
PID 1556 wrote to memory of 400	1556	cmd.exe	98
PID 1556 wrote to memory of 3884	1556	cmd.exe	99
PID 1556 wrote to memory of 3884	1556	cmd.exe	99
PID 1556 wrote to memory of 3884	1556	cmd.exe	99
PID 1556 wrote to memory of 4792	1556	cmd.exe	100
PID 1556 wrote to memory of 4792	1556	cmd.exe	100
PID 1556 wrote to memory of 4792	1556	cmd.exe	100
PID 1556 wrote to memory of 2212	1556	cmd.exe	101
PID 1556 wrote to memory of 2212	1556	cmd.exe	101
PID 1556 wrote to memory of 2212	1556	cmd.exe	101
PID 1556 wrote to memory of 3472	1556	cmd.exe	102
PID 1556 wrote to memory of 3472	1556	cmd.exe	102
PID 1556 wrote to memory of 3472	1556	cmd.exe	102
PID 1556 wrote to memory of 4512	1556	cmd.exe	103
PID 1556 wrote to memory of 4512	1556	cmd.exe	103
PID 1556 wrote to memory of 4512	1556	cmd.exe	103
PID 1556 wrote to memory of 5100	1556	cmd.exe	104
PID 1556 wrote to memory of 5100	1556	cmd.exe	104
PID 1556 wrote to memory of 5100	1556	cmd.exe	104
PID 1556 wrote to memory of 3508	1556	cmd.exe	105
PID 1556 wrote to memory of 3508	1556	cmd.exe	105
PID 1556 wrote to memory of 3508	1556	cmd.exe	105
PID 1556 wrote to memory of 4652	1556	cmd.exe	106
PID 1556 wrote to memory of 4652	1556	cmd.exe	106
PID 1556 wrote to memory of 4652	1556	cmd.exe	106
PID 1556 wrote to memory of 2232	1556	cmd.exe	107
PID 1556 wrote to memory of 2232	1556	cmd.exe	107
PID 1556 wrote to memory of 2232	1556	cmd.exe	107
PID 1556 wrote to memory of 2452	1556	cmd.exe	108
PID 1556 wrote to memory of 2452	1556	cmd.exe	108
PID 1556 wrote to memory of 2452	1556	cmd.exe	108
PID 1556 wrote to memory of 4112	1556	cmd.exe	109

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe
"C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\!m.bat" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:7084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:7012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5724
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\doc.html
    3⤵
    - Manipulates Digital Signatures
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc201b46f8,0x7ffc201b4708,0x7ffc201b4718
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
      4⤵
      PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
      4⤵
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5974477297582869303,17817200161804233884,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7112 /prefetch:2
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\is-GFSK5.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GFSK5.tmp\butdes.tmp" /SL5="$2015E,2719719,54272,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\butdes.exe"
      4⤵
      Executes dropped EXE
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\is-GFSK6.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GFSK6.tmp\flydes.tmp" /SL5="$30160,595662,54272,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\flydes.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:60
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\7zS4FEB1CB7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4FEB1CB7\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FEB1CB7\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4FEB1CB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6f971b54,0x6f971b60,0x6f971b6c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3796
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5148
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        
        PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x270,0x274,0x278,0x26c,0x248,0x6b4f48,0x6b4f58,0x6b4f64
        6⤵
        
        PID:5796
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\is-C243J.tmp\is-NGE0F.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-C243J.tmp\is-NGE0F.tmp" /SL4 $20086 "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      PID:2244
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\ajD370.exe
      "C:\Users\Admin\AppData\Local\Temp\ajD370.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5556
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\is-DELMU.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DELMU.tmp\telamon.tmp" /SL5="$20096,1520969,918016,C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\~execwithresult.txt""
        5⤵
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\~execwithresult.txt""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
      - C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\telamon.exe
        6⤵
        Executes dropped EXE
        
        PID:5888
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:4192
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\gadget.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5572
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5596
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5736
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5804
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5984
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\Bootstraper.exe
    Bootstraper.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6020
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5228
  - - C:\SalaNses\soles.exe
      "C:\SalaNses\soles.exe"
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1496
        5⤵
        Program crash
        
        PID:6600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1496
        5⤵
        Program crash
        
        PID:6288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\dng.html
    3⤵
    PID:6084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc201b46f8,0x7ffc201b4708,0x7ffc201b4718
      4⤵
      PID:6104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:6728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\12124.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6924
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\12124.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4300
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\12124.ttc
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\12124.TTF
    3⤵
    PID:6668
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\cobstrk.exe
    cobstrk.exe
    3⤵
    PID:3716
  - - C:\Windows\System\ZhTYmnC.exe
      C:\Windows\System\ZhTYmnC.exe
      4⤵
      PID:1420
  - - C:\Windows\System\LwQQimu.exe
      C:\Windows\System\LwQQimu.exe
      4⤵
      PID:5308
  - - C:\Windows\System\xhxCeiN.exe
      C:\Windows\System\xhxCeiN.exe
      4⤵
      PID:5832
  - - C:\Windows\System\VaUnhGW.exe
      C:\Windows\System\VaUnhGW.exe
      4⤵
      PID:5508
  - - C:\Windows\System\gIEzMmN.exe
      C:\Windows\System\gIEzMmN.exe
      4⤵
      PID:4452
  - - C:\Windows\System\hqezjbV.exe
      C:\Windows\System\hqezjbV.exe
      4⤵
      PID:4136
  - - C:\Windows\System\GaekMij.exe
      C:\Windows\System\GaekMij.exe
      4⤵
      PID:4956
  - - C:\Windows\System\UUBPNsE.exe
      C:\Windows\System\UUBPNsE.exe
      4⤵
      PID:6140
  - - C:\Windows\System\kJbBPgR.exe
      C:\Windows\System\kJbBPgR.exe
      4⤵
      PID:7076
  - - C:\Windows\System\nQtyyuI.exe
      C:\Windows\System\nQtyyuI.exe
      4⤵
      PID:6952
  - - C:\Windows\System\dFrYjsM.exe
      C:\Windows\System\dFrYjsM.exe
      4⤵
      PID:1368
  - - C:\Windows\System\LKhwvKq.exe
      C:\Windows\System\LKhwvKq.exe
      4⤵
      PID:5888
  - - C:\Windows\System\QAuwXPq.exe
      C:\Windows\System\QAuwXPq.exe
      4⤵
      PID:4596
  - - C:\Windows\System\xInbsNO.exe
      C:\Windows\System\xInbsNO.exe
      4⤵
      PID:6908
  - - C:\Windows\System\axsIHyr.exe
      C:\Windows\System\axsIHyr.exe
      4⤵
      PID:6880
  - - C:\Windows\System\AdXPAYg.exe
      C:\Windows\System\AdXPAYg.exe
      4⤵
      PID:6608
  - - C:\Windows\System\cBjqezJ.exe
      C:\Windows\System\cBjqezJ.exe
      4⤵
      PID:5356
  - - C:\Windows\System\IvURcaE.exe
      C:\Windows\System\IvURcaE.exe
      4⤵
      PID:5172
  - - C:\Windows\System\AfMjznk.exe
      C:\Windows\System\AfMjznk.exe
      4⤵
      PID:6684
  - - C:\Windows\System\gjhZtbm.exe
      C:\Windows\System\gjhZtbm.exe
      4⤵
      PID:6196
  - - C:\Windows\System\GxabWQP.exe
      C:\Windows\System\GxabWQP.exe
      4⤵
      PID:6216
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\jaf.exe
    jaf.exe
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:6392
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\file.exe
    file.exe
    3⤵
    PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4080
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC119.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5700

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4484 -ip 4484
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4484 -ip 4484
1⤵
PID:5860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\12124.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\12124.TTF

Filesize
175KB

MD5
89656b3f0a9cb59e470f47c9b68d3660

SHA1
c9cf8caecb66418bc8ce95bc6eeb9ee10edb9b7c

SHA256
d460cc9f99a343531a93ae4d6dcac016dd3befe64eaef54fa9b7c4980da951bc

SHA512
26e3fc6ae044c95b14883529825cd69541783ef231110d072d4a3ec424d60074558d588f42b7436175957f47a69c97073176b60bc0778e9e415ec108f255736a

Download Submit
C:\GAB\12124.TTF

Filesize
135KB

MD5
abd76d61050c97ab0e7bf2db2d9bd5ad

SHA1
adc9a3f93910429353322cb9cf2ca8762a5b5563

SHA256
2dc5949d57d2e172601fb6f5093c1fbf15a463e29ed47c4c8ff2434baf1c2b19

SHA512
605b8325234b1c6e851ae33855e2b511aa9464cf7ce77ea1db6760027e642eec27cafcd744ca3ab11b6995f880a168a16eec9697bffd3721080f10fbdd9cb91e

Download Submit
C:\GAB\12124.TTF

Filesize
3.7MB

MD5
7a1a9ac68359df49378eeaa3d83a9c27

SHA1
c598bb20ac9723bab138f55b20f594ece3c08a85

SHA256
1b52dc36f8e82b7a4477b6469b8f422503cbdabb2fd970aa317efc4818e0e233

SHA512
7baefd5b009288d7f5fb81f27cf364ac1f9740536994769eaf4a3230481599f9d0f5b18cc43835d34da1c298f40e6f80b364e3b10da5a5752343c0efe41d7529

Download Submit
C:\GAB\12124.TTF

Filesize
1024KB

MD5
eaa0a13ca69a2a0d98325f7872611512

SHA1
1cea82c5e611f5ad5857c07956672a21830041ec

SHA256
4bd6eafb9d80247cfb32e205472664f41dbd48963a973d56158587458757859e

SHA512
0d3e8387dca0eaad6753941412e0199e0603fa31d4abb4446337bfae58069df6ac39674347418ee4908b793acf02026ca6c1e8de7d6f1933fb635b8681de47a9

Download Submit
C:\GAB\12124.TTF

Filesize
256KB

MD5
a78a94f12188932b4502283dd687bbed

SHA1
9037a494e2262c0c2d71312f9c2453c910fa812a

SHA256
389f226b44da86d8ef2334ae4aa9d75fbdd4208c0cf84a5951d623ec8843f74b

SHA512
a2880aaf9cca5e13de1b3894be49d711ecf6cff9c68701a05a3e1d63038d4668426619a6c6cad75a8b4fc6c5f0b8a9a6c1b2aa21c32bc266c0ded42a3947fe17

Download Submit
C:\GAB\12124.TTF

Filesize
3.8MB

MD5
7687aa129b89abfccfaee89440094260

SHA1
f1778135d8d0bdd0d6c7a6cbdeb42567299de9ca

SHA256
3b2ab69b2c98c8b895a0f71db914e40cd2eb11b64a34b9dd91b50d123f9f04c2

SHA512
53477f7ddf8d0c525d8cd98688e3dadc3086e3f15e6733d5d4b70d0bbd8f88b72b88f575157b0c0fac722d0e653a9403d8603dc1dd38c0c3491aea9be025f2bb

Download Submit
C:\GAB\12124.TTF

Filesize
2.9MB

MD5
a3a60ac53c7d5a15307768f3c438eff1

SHA1
10e07cd91640fcc01d6871f38e78be7b39d4d79a

SHA256
959704485389189bac66f6d3fff2fe6d5796f14519fa7b6ce61c260681ae447e

SHA512
e4f0f3d6abc41505f406a8f406aa0b30427523e297b96dbe56ddd7077550b7a9c4b0a692e62133ac2b3ec6c5902812fa251c2d7377989dee853bef44a4ed16e7

Download Submit
C:\GAB\12124.TTF

Filesize
224KB

MD5
591005ecddee93752f2743f628f71663

SHA1
1cd4c47dc00920a71574e2fdd52f03eed9c86a47

SHA256
b99e32055a8144950ab54538343e5d9f13ca862fdd83b15f74ea649337ba4c74

SHA512
cbed0febe42b1ac2089f22c83eef44239f5986d48f3b581122b144837a89e2ea28e20df32c9a172c0b0566938a02687bc319d8fbe0fe34437eb4a619831015ea

Download Submit
C:\GAB\12124.TTF

Filesize
224KB

MD5
8924123111f4a88ec9a4541aa713db53

SHA1
342cd5a4ce1d036d72ead842478d3ac2514760f9

SHA256
d71f81c83ec63eaa32d36d5df7be1d9e71d3ea9150f47cebda2924923cbbf18a

SHA512
c02ee1f193fb9f5bf1adee4bf6fea02db1f718ec74c6900419cccdc52e4d1ad6e5c540716c717655153f69b0a4daa6b3832ec9222f803efb181ac8954a032c8f

Download Submit
C:\GAB\12124.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\12124.TTF

Filesize
145KB

MD5
23ed00385dab0f612e66eb0d4ac947ab

SHA1
acc115c0f9f6a25bee5ff37f8af4fdd695d8b596

SHA256
6b00590bd7a52a94e9e90e35a28c1d2fa03f83f458d2f2dfbced70a9c1ea0c80

SHA512
8f5d6d8f888f92be698a1d96824e3c735eb847bc8b1ae5835b9da65d4b6bb7c1690636873565e643d7ea6a19107d40e3a267c89bcfd4a896f356d90b38ecb039

Download Submit
C:\GAB\12124.TTF

Filesize
102KB

MD5
0252223e8c36008b595f5e379ad5e524

SHA1
bc773a38f567c9ecec65485bc588065f2215a386

SHA256
1f7ad9e753a88da096121bd831a7df72868ac48b8edefc8c96c7a73303f1575d

SHA512
828cd37baabb30ed465638f5a080cadadc9da181ee4e4110434f8c19d8edd9684eba110a0b67f6090b62c6df1adeee52d28024e6b63026d26fe724eb6351b240

Download Submit
C:\GAB\12124.fon

Filesize
8KB

MD5
b0ac2d09abc0efc32b28b7e364659a15

SHA1
33738efa553c7dcb30a94055b24fd1a16616bc27

SHA256
a0e5dbe96d1cae29501b481cd98a1eac5f0f662aa367aa9712a419c3c32f4284

SHA512
25853b53eb7c6115546cf59c276142f5aa2e54718f18f98402fa7267cd685601280b2e9f903a4c4e16c74e531bf591f0355fee29b0c702e0c15ba6e00899329f

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\12124.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\12124.fon

Filesize
12KB

MD5
dcfe71d27bf49ba16fde0d1945bfb4a2

SHA1
86b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1

SHA256
eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811

SHA512
4da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3

Download Submit
C:\GAB\12124.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\12124.fon

Filesize
5KB

MD5
20d8e25578beaa684c3577949b48ef57

SHA1
6fb7af0b3f8a9cd4a1e601695cdadfdffc594fe6

SHA256
3a25851cb69c03c7b48e5d23e92d4e85a99e91cd0f5151593163767d1bc9a34d

SHA512
a3f66c85405fba2d03d104a2543c70e710421eb916dbc634cbf55225611cc01c1dec26e397a2b8a8766eb15aead88e7d5e4ca70db21de6569c3da854a2214e81

Download Submit
C:\GAB\12124.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\12124.fon

Filesize
35KB

MD5
32aa40b05f3b9f0c3c5a519c2355fdd2

SHA1
91fabebe46ebd21d2ca329ce33ab7eb2e633f5ab

SHA256
f5920991ef1bddb00d4ae09f844d0ba04672a5f26936567547815725a439e3fc

SHA512
5b7e46d8153a42a935df33d21e8512fdc087637c1490896d27d37f405c79dc11a4c7fd1b1089cfeacb10b541d3d8842b75e204d190f10a6cebe553f0d76fd4d6

Download Submit
C:\GAB\12124.fon

Filesize
68KB

MD5
5e142e4d090d689cd44fa8fe9882a743

SHA1
0301f8c9422f933c9d7a65bbe4f7c45feb4fef24

SHA256
a23e6b523d0e3d16cd197e5a525e3f299144577dbdb860ab91e7c14652aad3d4

SHA512
23f77ca93a178d4fdecf54ca1cb6cbc8d6c816deddc630d90fcaa5f3d028a9db29301d32b200c70bcbeb94c8491bd44ffeef51233cfeb011e2081825b167ba16

Download Submit
C:\GAB\12124.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\12124.fon

Filesize
35KB

MD5
8a5853ebfc046f428dd31c5f3ae217ef

SHA1
61dccd934eeaf49b9dfe4385e5ba12ea8eaaa35c

SHA256
0da0d4ed89fd1e8810c7f2cdb5372abfb02cb3d031acacc1a5bbc853f879c2bd

SHA512
b2427ec94402e06af2239277087376ebb5a4a231a2d9fd020e7eae557b865355f257d0fb3c2f2f306c132f919160b5b7d50e0f078f9e382a3ed9ceee3e285c32

Download Submit
C:\GAB\12124.ttc

Filesize
9.1MB

MD5
8ebadd05650b3bfe8a06391de90fe3dd

SHA1
5143e6b0103a111588ee1576653f8f15a5207fb5

SHA256
a79addfddf84d2c83496c87d23a2bef3ff3969f5bba0fddc5d0e685d618373dd

SHA512
68b5fe4ea99b0f09d37329cfcf631bdfedecba61b4ca9dd28de36f9f39817b7c0bebcfd511e4cf298bef678259956424d4621f92ca3cafeb993cd8e090229f72

Download Submit
C:\GAB\12124.ttc

Filesize
13.0MB

MD5
e868c731ec770c425dbc74881b3ca936

SHA1
a8dc99a2e0bc3360f8441243aab13fe7279a759a

SHA256
1e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c

SHA512
51bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49

Download Submit
C:\SalaNses\soles.exe

Filesize
1.2MB

MD5
acebc69ae67997867002990dae3f699d

SHA1
8483b45b2faaa21ad548e72fb49ae3a08143334e

SHA256
f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442

SHA512
6c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
89acf8a29e30b320101cc246fa4857e4

SHA1
07e304b6c9f019c9d1d8d538e23e24ee7f4805a5

SHA256
506443981e2270b680bc110ec46cb7811384ba40648d9b9cef18d3a439af96fc

SHA512
a4b9e137bcdb2f0221a30c5164da0034b9868ca01e825f9535244dfec60ab22188a6633d8f5f20f698a9c6301f39418ee6923238a36d520f8b832f33a92e7525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
f6076ed3902cac6718b28021b15651ef

SHA1
d9f7a85356118c5d963a9a7a305dd5597dfde4f5

SHA256
1bdf62d0ef0340e6023106b7412aea30f661dca3d9fd0376ac3ca5d08a3e7b90

SHA512
dc2686ffc965bfb794314db2aedd46234b8f00602ff1632aaaaf1a6b834290ce3b405b450328cad08c5addcbf3a1476984d68cb6cf8720db3e8ea7d8c6c53faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1d0a4f512c3a62cd36a578f8fef434df

SHA1
78e5fdc1eca3dbd3a8694c6be70fd04ef174f0f8

SHA256
c836ac65d67937fbd1e105a0219e031ced39d8be9d68766525909a32250b99b4

SHA512
3cf746fe56e396b5f14cecf15073daa5aef9bcc81ba9cca399f8e3031cf5fe9fad95d9ca29b09e8e1658da63d93e47d9883436217bc44af76d42f28efd67dad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
3805487e7cb8b3c96b8f5300ab0e18ab

SHA1
be39898793804d3ff4a8178b288db06934e83624

SHA256
30d3682550fa04dd2a9f1038bef3abfb26f9fc49856238e624e042970c129d5a

SHA512
00965f0074a7da751a19ab30b21f076127754041881a875eda9c2237d3b930a8fb28fc0ebe5edfeb8d35f3e1bac51ba52b4770b78704e9a69f811ca9a2ec9680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c582b76b174c3777fc1630f581eb196e

SHA1
405da9c54ab46876bfe26344d75c3ffd21a983bc

SHA256
8a168345eed5cee7f94150c5e2a15922a5d9c5b0521cd9ce357dfcfff976d8c6

SHA512
f6a3f536370bf0c0e190ed02776221ca39cb4e8aa67791b7ce5b70297ca7bc0514f3e4f5c7aa00a7aa7d7f3f113dbe751d5019c7968887b183801ba59163fe89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d5be806a80669107f7c2f09086fc16af

SHA1
4fc5ebc6e33df3f221f4b15b314d87ba87474624

SHA256
b71174e064c93a227c6afb0bb61c8a1c972b0b4684f755ad214a8a25b7bd72bb

SHA512
cbe3210d2a15d4e4f130de80820627682b5e577a4bee9e9260194a282fa790722dd7f6b855ff8f0dfe5ed075a35a65d8918a8dab060121d23cf2f5f4439f56a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe377fc4c013b104dcb2ec4ee0fc0b85

SHA1
387ab3cee89b53686f342741fbcb458cc0a4b866

SHA256
1f81840a9a9648902653027c6a92f0eac36dca36d21bd5588ea2267a86c465e7

SHA512
eb52ff01881df5618f5b1161fa7b9934240ce1e1f95bc90a8838c9d99ec4b9d788787a5c602ad6a3b9778ced81fca9309fec4be20cd100eabde94dba3d75addc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
952a0b63d99a4734286ac7961aedd930

SHA1
70407abcddf17bf124ee70c5fa682a3070ea814d

SHA256
1f5f8bb01e4d32f953c033e19836b663a07c16df4d5713d1e2e856486941dff7

SHA512
009b7435743ba230a02823d12db5250de9d9c324679438aec2c410d7e25e9a70628815496be801957c629717f9bdc867ab13472d9fe40ba3a4a086515e0bf00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5809a0.TMP

Filesize
1KB

MD5
b2022235e3d2cb1c2a0bb23ffdf3a1bb

SHA1
0dd2099afa6bc6489c8b97d114e7d914a0ecfc94

SHA256
c8a13f2a49b274710874fbe2223cf287f9c457535b23c1a6be11c90605098c08

SHA512
467c0c7279751cd6ba45820c59bd6e463020c2c60f259ba6c253eb99acd938c08f3f6e44810399f89a099ab6f35d0a9ad3ff51f612ae63a30e1e5e37a6e9b989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ac003b1f666688399a2c5a4f1facb60

SHA1
db93f188746c664139e12f66efda7f0b258a2830

SHA256
30c5b863b2018e94a8ebc954183084527dd991eba111143b54c86dfc8f02255f

SHA512
7789e099d9eaf788fb53e8709fd4c54bb7161b9a43619cbec75cf07a9b78a76aeb173669a7b0b0ffba49a729cbf4cd3e310fb8e6ac3ee13c6968205cd3ad9567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b66685e5d472372e5703cee7cbf94f99

SHA1
940ccc0147078f5e3e26044487a7b57cd9fb9509

SHA256
35b995610d4319ef59d0406a8ffe913e15dfc29fadb893506755d6bde84f7c8b

SHA512
6b4e3ab131c5f88cdc3eb0eb9b2e17776cadfe1c83ca6744cf17eea8e546773c236fbff270b0d8798654ac3bb3d0dfc1ae90a9774169965d6a286a4b281aa685

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409220039481\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FEB1CB7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409220039482953796.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0e21mbpq.ard.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\!m.bat

Filesize
1KB

MD5
d295fd5b892b165427abecd1b5aac987

SHA1
ec1bb8ab7bb5ffd6d1c971fde332dab00f78cf5b

SHA256
855a00d99d2cb67512ca1fb49a9954bc085ed9ada3a2d2226757bb347e2cad58

SHA512
800d97dfdb1ef9923c82bf31a77b4cad49bf886aa055d5ee7f4396bc6bcd597a9e638ccdd1cd4878de7d8d273d60228604f97ee6e5b07668002fb08e9636f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1_53b69ece-7c82-45bb-852f-f373528ff2f6\vcruntime140d.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C243J.tmp\is-NGE0F.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DELMU.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQ4F9.tmp\tt-installer-helper.exe

Filesize
404KB

MD5
5b4c8e63be988b83b09e13e9d1d74bb9

SHA1
bcb242f54ee83f232df6b871aebc0f3d44e434c6

SHA256
8ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d

SHA512
a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GFSK5.tmp\butdes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE9.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE9.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE9.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE9.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD803.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD803.tmp\CR.History.tmp

Filesize
124KB

MD5
320ab9f6dbec3c8d20510addf1592217

SHA1
5afaa95863718f3c181daed05e592eb7008884d5

SHA256
54c9420d75936770b31ad791d1020f52a2857229fdef78385502486491513f49

SHA512
7558f96c12da69cd46e0b4246ea2d6444dfa1f434e8fd5db47f8b56415f252b947c373530d4a2a30005381f67033862a1243298c72a1a3cf407e20e6063a9910

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD803.tmp\FF.places.tmp

Filesize
5.0MB

MD5
14640ede02774424a6e16d3c3b459bd0

SHA1
00915b6769e94bc726b64a2decc881262b4f1b9f

SHA256
676e950074a335c14afceb09c942c56ad0988ad04221949f6bd83b67570d4483

SHA512
63b063abac61c8fabd140b138a629bc029bf82174578c7e018b12c831285cd30ec53bd43ce1243d903dcddd87facf6c740d04048512f8e42a84d4606365c47fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD803.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD803.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2F2EAC69-C69C-47EF-9A89-0E6EAD5825E0}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit
C:\Users\Admin\AppData\Roaming\TESAYt.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Windows\System\LwQQimu.exe

Filesize
5.2MB

MD5
1a81bdea470d2fc90d5df382fe691dfc

SHA1
0c8b1171784a44fe013ad4f110e8cd9051b88392

SHA256
7e8aea1306b9c214d2380c8763378862348a4281de9b105cf6b9aea7353e5413

SHA512
71b67c71cec479e468427612b5fe9094cdeda2a86c9438459ef0c6b6458a198b2fe60e2bd8844457f967c91f1fea50eac7bbad01fa1c5aaf7fde5982ec487017

Download Submit
memory/60-321-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/924-2220-0x00000000064A0000-0x00000000064B0000-memory.dmp

Filesize
64KB

Download
memory/924-2168-0x0000000000830000-0x000000000091A000-memory.dmp

Filesize
936KB

Download
memory/924-2292-0x0000000006B40000-0x0000000006BC2000-memory.dmp

Filesize
520KB

Download
memory/1244-313-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1244-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1368-2191-0x00007FF76E600000-0x00007FF76E951000-memory.dmp

Filesize
3.3MB

Download
memory/1420-2138-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp

Filesize
3.3MB

Download
memory/1420-2285-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp

Filesize
3.3MB

Download
memory/1736-52-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1736-53-0x0000000004F30000-0x0000000004FCC000-memory.dmp

Filesize
624KB

Download
memory/1736-54-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/1736-217-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1736-56-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1736-57-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/1736-58-0x00000000051C0000-0x0000000005216000-memory.dmp

Filesize
344KB

Download
memory/1736-51-0x0000000000440000-0x0000000000632000-memory.dmp

Filesize
1.9MB

Download
memory/2244-576-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2312-2114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2312-2116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2624-2279-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2624-2102-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2644-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-311-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3652-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/3652-180-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3652-2221-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3652-129-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/3652-4-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/3652-3-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3652-2-0x0000000004A10000-0x0000000004A34000-memory.dmp

Filesize
144KB

Download
memory/3652-1-0x0000000000050000-0x000000000009A000-memory.dmp

Filesize
296KB

Download
memory/3716-2278-0x00007FF722C40000-0x00007FF722F91000-memory.dmp

Filesize
3.3MB

Download
memory/3716-2101-0x00007FF722C40000-0x00007FF722F91000-memory.dmp

Filesize
3.3MB

Download
memory/3716-2117-0x0000022E9AC70000-0x0000022E9AC80000-memory.dmp

Filesize
64KB

Download
memory/3784-577-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3784-142-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4136-2167-0x00007FF7D9630000-0x00007FF7D9981000-memory.dmp

Filesize
3.3MB

Download
memory/4136-2283-0x00007FF7D9630000-0x00007FF7D9981000-memory.dmp

Filesize
3.3MB

Download
memory/4348-578-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/4452-2166-0x00007FF7DC4A0000-0x00007FF7DC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-2287-0x00007FF7DC4A0000-0x00007FF7DC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-2089-0x0000000000E10000-0x00000000011CB000-memory.dmp

Filesize
3.7MB

Download
memory/4484-2078-0x0000000000E10000-0x00000000011CB000-memory.dmp

Filesize
3.7MB

Download
memory/4484-2024-0x0000000000E10000-0x00000000011CB000-memory.dmp

Filesize
3.7MB

Download
memory/4596-2207-0x00007FF676F00000-0x00007FF677251000-memory.dmp

Filesize
3.3MB

Download
memory/4760-314-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4792-575-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4792-130-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4956-2284-0x00007FF6852D0000-0x00007FF685621000-memory.dmp

Filesize
3.3MB

Download
memory/4956-2174-0x00007FF6852D0000-0x00007FF685621000-memory.dmp

Filesize
3.3MB

Download
memory/5044-2112-0x0000000005850000-0x0000000005932000-memory.dmp

Filesize
904KB

Download
memory/5044-2113-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/5044-2111-0x0000000000D60000-0x0000000000F02000-memory.dmp

Filesize
1.6MB

Download
memory/5148-584-0x0000000005620000-0x000000000563E000-memory.dmp

Filesize
120KB

Download
memory/5148-306-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/5148-301-0x0000000000D50000-0x0000000000D86000-memory.dmp

Filesize
216KB

Download
memory/5148-363-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/5148-838-0x0000000068150000-0x000000006819C000-memory.dmp

Filesize
304KB

Download
memory/5172-2201-0x00007FF74F250000-0x00007FF74F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/5204-918-0x0000000068150000-0x000000006819C000-memory.dmp

Filesize
304KB

Download
memory/5228-858-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/5228-364-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/5228-873-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/5228-978-0x0000000007E30000-0x0000000007E4A000-memory.dmp

Filesize
104KB

Download
memory/5228-365-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/5228-829-0x00000000079A0000-0x0000000007A43000-memory.dmp

Filesize
652KB

Download
memory/5228-824-0x0000000006D60000-0x0000000006D7E000-memory.dmp

Filesize
120KB

Download
memory/5228-685-0x0000000068150000-0x000000006819C000-memory.dmp

Filesize
304KB

Download
memory/5228-594-0x0000000006CF0000-0x0000000006D3C000-memory.dmp

Filesize
304KB

Download
memory/5228-682-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/5228-1019-0x0000000007E10000-0x0000000007E18000-memory.dmp

Filesize
32KB

Download
memory/5228-369-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/5228-969-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/5228-859-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/5228-882-0x0000000007D70000-0x0000000007E06000-memory.dmp

Filesize
600KB

Download
memory/5228-909-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/5228-960-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/5308-2286-0x00007FF6682B0000-0x00007FF668601000-memory.dmp

Filesize
3.3MB

Download
memory/5308-2141-0x00007FF6682B0000-0x00007FF668601000-memory.dmp

Filesize
3.3MB

Download
memory/5356-2200-0x00007FF7C28A0000-0x00007FF7C2BF1000-memory.dmp

Filesize
3.3MB

Download
memory/5508-2205-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp

Filesize
3.3MB

Download
memory/5572-599-0x00007FF681D10000-0x00007FF681D39000-memory.dmp

Filesize
164KB

Download
memory/5572-231-0x00007FF681D10000-0x00007FF681D39000-memory.dmp

Filesize
164KB

Download
memory/5596-239-0x00007FF79C710000-0x00007FF79C737000-memory.dmp

Filesize
156KB

Download
memory/5596-622-0x00007FF79C710000-0x00007FF79C737000-memory.dmp

Filesize
156KB

Download
memory/5700-2331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5736-641-0x00007FF7D96E0000-0x00007FF7D9706000-memory.dmp

Filesize
152KB

Download
memory/5736-247-0x00007FF7D96E0000-0x00007FF7D9706000-memory.dmp

Filesize
152KB

Download
memory/5804-249-0x00007FF713B00000-0x00007FF713B26000-memory.dmp

Filesize
152KB

Download
memory/5812-2315-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/5832-2163-0x00007FF7FBFC0000-0x00007FF7FC311000-memory.dmp

Filesize
3.3MB

Download
memory/5832-2282-0x00007FF7FBFC0000-0x00007FF7FC311000-memory.dmp

Filesize
3.3MB

Download
memory/5888-2206-0x00007FF7E3460000-0x00007FF7E37B1000-memory.dmp

Filesize
3.3MB

Download
memory/6020-315-0x0000000009300000-0x0000000009338000-memory.dmp

Filesize
224KB

Download
memory/6020-255-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6020-312-0x0000000006CC0000-0x0000000006CC8000-memory.dmp

Filesize
32KB

Download
memory/6020-316-0x00000000092D0000-0x00000000092DE000-memory.dmp

Filesize
56KB

Download
memory/6140-2288-0x00007FF772C90000-0x00007FF772FE1000-memory.dmp

Filesize
3.3MB

Download
memory/6140-2178-0x00007FF772C90000-0x00007FF772FE1000-memory.dmp

Filesize
3.3MB

Download
memory/6196-2203-0x00007FF7EE560000-0x00007FF7EE8B1000-memory.dmp

Filesize
3.3MB

Download
memory/6216-2204-0x00007FF7B3CB0000-0x00007FF7B4001000-memory.dmp

Filesize
3.3MB

Download
memory/6608-2199-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp

Filesize
3.3MB

Download
memory/6608-2291-0x00007FF7CB0C0000-0x00007FF7CB411000-memory.dmp

Filesize
3.3MB

Download
memory/6684-2202-0x00007FF6870C0000-0x00007FF687411000-memory.dmp

Filesize
3.3MB

Download
memory/6880-2290-0x00007FF74AB30000-0x00007FF74AE81000-memory.dmp

Filesize
3.3MB

Download
memory/6880-2194-0x00007FF74AB30000-0x00007FF74AE81000-memory.dmp

Filesize
3.3MB

Download
memory/6908-2192-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp

Filesize
3.3MB

Download
memory/6952-2186-0x00007FF6EABE0000-0x00007FF6EAF31000-memory.dmp

Filesize
3.3MB

Download
memory/7076-2289-0x00007FF77ECD0000-0x00007FF77F021000-memory.dmp

Filesize
3.3MB

Download
memory/7076-2182-0x00007FF77ECD0000-0x00007FF77F021000-memory.dmp

Filesize
3.3MB

Download