azorult | d20abd749e459f34d62daeed2e23443883d9eec5e58e578513a92420bb69974b

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
01-04-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

146KB
MD5

4a34f0fe376769a3f7d9929d789098f8
SHA1

eb79a7c4b9899c43bfcf1f8c0cbd388fc1e14472
SHA256

d20abd749e459f34d62daeed2e23443883d9eec5e58e578513a92420bb69974b
SHA512

a7796fb412fd2c874b75843771d95ad947b0dba60447b054a7c7f7a8ad3fb2dd992f419f18360b09517d0317daadd3daa1efc3aab89d35ad3558442b81828f70
SSDEEP

1536:o4kyd8LFVMUK4DgnVR4DBllKoVkL30vD9329s4D+HhqiE:BkzLFoVsllXmxYHhqiE

Score

10^/10

azorult rms aspackv2 evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult (2).exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult (2).exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult (2).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult (2).exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002a860-725.dat	acprotect
behavioral1/files/0x000100000002a85f-724.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000100000002a85d-673.dat	aspack_v212_v242
behavioral1/files/0x000100000002a85c-726.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

pid	Process
2536	Azorult (2).exe
1424	wini.exe
1284	winit.exe
2696	rutserv.exe
1712	rutserv.exe
4544	rutserv.exe
4320	cheat.exe
3224	rutserv.exe
4576	rfusclient.exe
1956	rfusclient.exe
3636	ink.exe
2884	taskhost.exe
5032	P.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a860-725.dat	upx
behavioral1/files/0x000100000002a85f-724.dat	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (2).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
57	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (2).exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0003000000000695-486.dat	autoit_exe
behavioral1/files/0x000100000002a85e-659.dat	autoit_exe
behavioral1/files/0x000100000002a867-758.dat	autoit_exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1656	sc.exe
3708	sc.exe
3932	sc.exe
2512	sc.exe
2784	sc.exe
1428	sc.exe
3724	sc.exe
3572	sc.exe
4320	sc.exe
3328	sc.exe
4912	sc.exe
2004	sc.exe
3616	sc.exe
3044	sc.exe
2100	sc.exe
4416	sc.exe
1944	sc.exe
952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3436	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2567984660-2719943099-2683635618-1000\{6FFFE18A-47B6-46B3-A3F0-220410559927}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings	wini.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 289721.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 696659.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 865946.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 935138.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 695090.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 658069.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 39734.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3896	regedit.exe
3632	regedit.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4968	msedge.exe
4968	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
4964	msedge.exe
4964	msedge.exe
4464	msedge.exe
4464	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
3836	msedge.exe
3836	msedge.exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2536	Azorult (2).exe
2696	rutserv.exe
2696	rutserv.exe
2696	rutserv.exe
2696	rutserv.exe
2696	rutserv.exe
2696	rutserv.exe
1712	rutserv.exe
1712	rutserv.exe
4544	rutserv.exe
4544	rutserv.exe
3224	rutserv.exe
3224	rutserv.exe
3224	rutserv.exe
3224	rutserv.exe
3224	rutserv.exe
3224	rutserv.exe
1956	rfusclient.exe
1956	rfusclient.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	rutserv.exe
Token: SeDebugPrivilege	4544	rutserv.exe
Token: SeTakeOwnershipPrivilege	3224	rutserv.exe
Token: SeTcbPrivilege	3224	rutserv.exe
Token: SeTcbPrivilege	3224	rutserv.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2536	Azorult (2).exe
1424	wini.exe
1284	winit.exe
2696	rutserv.exe
1712	rutserv.exe
4544	rutserv.exe
4320	cheat.exe
3224	rutserv.exe
3636	ink.exe
2884	taskhost.exe
5032	P.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 484	4968	msedge.exe	76
PID 4968 wrote to memory of 484	4968	msedge.exe	76
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4664	4968	msedge.exe	77
PID 4968 wrote to memory of 4900	4968	msedge.exe	78
PID 4968 wrote to memory of 4900	4968	msedge.exe	78
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79
PID 4968 wrote to memory of 2960	4968	msedge.exe	79

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (2).exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4048	attrib.exe
1144	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6b783cb8,0x7ffb6b783cc8,0x7ffb6b783cd8
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,12372692665252991858,13313319922737200217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Users\Admin\Downloads\Azorult (2).exe
  "C:\Users\Admin\Downloads\Azorult (2).exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2536
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1424
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:720
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:3896
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3632
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:3436
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2696
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1712
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4544
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:1144
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:4048
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:952
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:3708
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:1944
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1284
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4320
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2884
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5032
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:3800
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:3280
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:4168
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec7568123e3bee98a389e115698dffeb

SHA1
1542627dbcbaf7d93fcadb771191f18c2248238c

SHA256
5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75

SHA512
4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
16f668b1f7386760d77ce772cabf7ccc

SHA1
0875a1e251d5536b239f0ec2b841d90c7dbc0603

SHA256
5ecb27d61d093af2cd707a107c285b4c1c5578e658f5f2046810302b9497970b

SHA512
97c06df953ad04b967328cd19af2e51f54fd62450a831410eb80d512bcb7d594eb25d07b1db8262b61238339bf9edb70f5f14ff1fd291b0fbd7c3a8a8d854412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0518b30cfb8d8ed296246b252b522182

SHA1
5c6028e9bbd118437a14aa4a1969b79657e897cd

SHA256
66dc45ce5ed80d130a31b1744e454a1a9d170e1b5cf3ac8363f8e560c1b8bd3a

SHA512
7a95d4aa951ba469fbc2b262a1ec5cc489830221a4b6e5d643f41a345dff9830fdc13bc6d76bb824785ee6fe07c3edc750fcd910d2143d34d18b907e3613fb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
d8a1b18a761cb92d35d036d6a6f52940

SHA1
a171b91f90499255deec329bd4f70a1d29377f77

SHA256
5129d5af0f02c917d1fa4f9a04db2aed5daee03e0f6a32a9a48b24d5a8f23fdf

SHA512
ef347bffff854d5eb09232afab70f489d1beeadaf95856e843fab874025fbdcb2eb1cb097c45fc6f9e563c24ef20f706f6c272ebb3718b296dad2442aba1feaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9edfebf954dc0b263ca7f6914e58e03

SHA1
51f69e4cc5c36d3a964dca0db29357f2c92bd95c

SHA256
ee794e5442b9ac3ffbb14429588e912169049f2337c14c66e2e87e0a2939f76d

SHA512
786844254ae976d2be461a03dc2f2a5b2c18c4dd044864b7207fe58a623233c190bec3f16d6792b927b09e427a282e0d18464b4d89437be7cbbf0ea7f6263416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59e66305cd64b53908884e39a024fbf1

SHA1
1f90b1b59c91e3b347a76472ffc795e8ff820202

SHA256
14df6fdc68bebe3e2de1995d8e3bb7db351bc8b44bc1860b06351ba433564dfe

SHA512
deecf58528c0283a02c22055cb8832600a6556251246bd2d927b5b759b622ac9e223ddddaf0d00028cf055e8705c026fc75e3cae9622df8ea91754caf0171768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
daa41af92009ff127430e0cc8fc9060e

SHA1
1ad32427d8d42d73e9b204b363fd687d804fd0b6

SHA256
86daf432dc06355ff42e6f77e6ba28aa9a254527e4be66511a52da94daca628e

SHA512
f63cd85323c9df6fdc146d5bc5054fb0f05908396a4fde67f311a8ade3b421cda0cea035261d3a8439ad17fb89460fe22f2ea634712574d1596107975a6f373c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
645bf5040f3ca95e35f8a328a275cc31

SHA1
0761d5980034b660334be5e3eaad95d069ccae24

SHA256
fb4bdafa3a2e258a64f7ffecab856a3cee30478bc45e304e1c5b088e197d0f6f

SHA512
6fa3041470a8ea175f32e5ebf76ee7373ef853005aec50de3902741560f0a8ce130e9fd1705273382dacbf88ee6b5080a9b85226c17d018ee927435154ed0c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ba15f72ffb0a37243558588d3e78221

SHA1
814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0

SHA256
3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a

SHA512
02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e114085470609ebf354519be06ba6d2

SHA1
dfdbc5187c6265a0a9f6e756197386482bd869b0

SHA256
dfcbeb1754d4cd108975b5c04c531f5f8effbf4fdc9622755b656a3cb9cab921

SHA512
c7c5715dfe80c4702524fc4f59c5303dd4aab71aacf3cf56e3e678fcca07c3064e81b94db0875b397a7e75240b7f30e0514757f6209a78a98a21a64733b5f57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b5e701f16a8222b5e399be6222ecfd8f

SHA1
deb8d47fa82938c68452b92704690d7adc48d6fb

SHA256
95bd2397f56f78f8ae71d74dec68fada48e1c149254b269a239f40c7b804c1cb

SHA512
5f350c886e44e12d79f10e622bd4cb78f8edbff83419a5270c5b11b7c169a90efc7a1f48b164c958412d2828bdd503da26e17e97ac1052126eb4978a2e210573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1dc5c23c11ddf1195e92d906f51239a1

SHA1
6f9db4b09711b51e6de708d20848ecd54bcea321

SHA256
158f41c5b31d0cee20ad47276467e606f47ba93af285b6cde5c088d8e20b60cd

SHA512
dc8d2884b8253d8979e08b07a830104d80d006c7f4573151c73832c8935a8c4c83cbf43e93770e570e9030316bedbae3d77140e3183993af9084a07b5f29cc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df63.TMP

Filesize
538B

MD5
5d61be1d4380a1cb98a0bf92de598ced

SHA1
f1e4c2557e75a92ff208c1838fc947331821938f

SHA256
fd5e70231cf5b4e0d7eb9e8a5867e5604101cd289364ff5c732538fde4dd954c

SHA512
f1d96ef1fbb440b1db67d339232dfa43a98e2ab3c2a308315f8884e226f73db1d2eef677443e087aa924b0a636ad4f4b887a2a1687997d3761252dde5b2346e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\d55b8abb-48e8-4df2-8fa8-323f58afee37\1

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ad787d5545fa66e2f9fb1534bc733d7

SHA1
b2ffe450b8003ae494be190fbf5a121bd9b02e5c

SHA256
6a296b744b43e54e832a19c7dff35e421801ed2ac38cf73fe40cc59503cedd61

SHA512
f59527a3981c74eeef2a65c07483f336a254f7bcbe32b77038917ec8d5a1fbe396f7d7b3ef656cae7ed3c73fc9cd0ebd24a6d594fe6c482135109b757ed2614f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de788eb82e1d7d251909417ce5571b58

SHA1
07103eaf29411678bc7d211b5ca32979e17c06f8

SHA256
4028155cfddac8cb173540a168c8bcb1e28b1112e9445a602f88d06072936b14

SHA512
36cd34bedfed70dde2fea2b465856bfcf624b03d14f018ccf71d7b46550198b14b05df1a086915e538a6e2a7468a81532e9c78ffa7a6a0d86851c3ccb8325967

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut64EE.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\Downloads\Azorult (2).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 696659.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
C:\programdata\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\programdata\microsoft\intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
memory/1712-684-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-690-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-685-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-686-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-683-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-687-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-688-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-689-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1956-737-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1956-775-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1956-755-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1956-743-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1956-746-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1956-741-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2696-675-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-676-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-681-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-674-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-677-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-678-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2696-680-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2696-679-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-719-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/3224-711-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-713-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-712-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-714-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-710-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3224-709-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3636-774-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4544-701-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-702-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-742-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-699-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-707-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4544-698-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-703-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4544-700-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-740-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4576-736-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4576-744-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4576-745-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4576-773-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/4576-735-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4576-754-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download