azorult | 0226f723ff835d0b46269c1b896fa18fef0a8ed24dc3c72872dcf4cb45be90f9

Resubmissions

06/08/2024, 13:23

240806-qna2qszgkp 10

06/08/2024, 13:20

240806-qla9qazfpm 7

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/08/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Robokits_USB_BT_18_ServoCon_Setup_V82.exe
Size

3.1MB
MD5

e0017606ff7935c846769b617a522c90
SHA1

ccbc102781a64f7936310e8f25028101ac3ff353
SHA256

0226f723ff835d0b46269c1b896fa18fef0a8ed24dc3c72872dcf4cb45be90f9
SHA512

b904262e8eea28f2229f6b670cf0240314626a8736aa90ed86f7c254cbe461190f1ba0976794b08dd11242b577c29bf3b2d5d767d910ad48889697a0e0cc34c5
SSDEEP

49152:sN26FOnzGn6LJvqkwnpC+mWd6uIcc+vo7dP6dF/WPxDz0peWUiz8ahxkYu:s06FOznLo0+Dd6uxc+vqYdF/WPxDIXxI

Score

10^/10

azorult rms aspackv2 defense_evasion discovery evasion execution infostealer persistence rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult(7).exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult(7).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult(7).exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 21 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5856	netsh.exe
5548	netsh.exe
4064	netsh.exe
5360	netsh.exe
5300	netsh.exe
5884	netsh.exe
6140	netsh.exe
5784	netsh.exe
5240	netsh.exe
5780	netsh.exe
5956	netsh.exe
5320	netsh.exe
2652	netsh.exe
5348	netsh.exe
2636	netsh.exe
6140	netsh.exe
6072	netsh.exe
1008	netsh.exe
5620	netsh.exe
5552	netsh.exe
4608	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001ad58-958.dat	acprotect
behavioral1/files/0x000700000001ad57-955.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000700000001ad55-918.dat	aspack_v212_v242
behavioral1/files/0x000c00000001ad4f-959.dat	aspack_v212_v242

Executes dropped EXE 15 IoCs

pid	Process
4468	irsetup.exe
5576	Azorult(7).exe
5776	wini.exe
6060	winit.exe
5348	rutserv.exe
2840	rutserv.exe
4372	rutserv.exe
3768	rutserv.exe
5124	rfusclient.exe
5208	rfusclient.exe
5616	cheat.exe
5728	Azorult(4).exe
5772	ink.exe
6028	taskhost.exe
5172	P.exe

Loads dropped DLL 1 IoCs

pid	Process
4468	irsetup.exe

Modifies file permissions 1 TTPs 35 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2616	icacls.exe
5148	icacls.exe
4568	icacls.exe
2172	icacls.exe
4648	icacls.exe
2744	icacls.exe
2512	icacls.exe
4800	icacls.exe
5132	icacls.exe
5840	icacls.exe
6004	icacls.exe
5504	icacls.exe
5316	icacls.exe
5736	icacls.exe
5852	icacls.exe
5272	icacls.exe
4064	icacls.exe
2440	icacls.exe
2672	icacls.exe
4632	icacls.exe
984	icacls.exe
3984	icacls.exe
5256	icacls.exe
4008	icacls.exe
6008	icacls.exe
3324	icacls.exe
6072	icacls.exe
3204	icacls.exe
6084	icacls.exe
1712	icacls.exe
4220	icacls.exe
3364	icacls.exe
5568	icacls.exe
5340	icacls.exe
5148	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001ac15-4.dat	upx
behavioral1/memory/4468-6-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/4468-113-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/files/0x000700000001ad58-958.dat	upx
behavioral1/files/0x000700000001ad57-955.dat	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult(7).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
116	raw.githubusercontent.com
121	raw.githubusercontent.com
113	raw.githubusercontent.com
114	raw.githubusercontent.com
115	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult(7).exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001ad46-825.dat	autoit_exe
behavioral1/files/0x000700000001ad56-894.dat	autoit_exe
behavioral1/files/0x000700000001ad67-1021.dat	autoit_exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult(7).exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6056	sc.exe
5356	sc.exe
6092	sc.exe
5964	sc.exe
5560	sc.exe
5280	sc.exe
5544	sc.exe
5320	sc.exe
5148	sc.exe
5260	sc.exe
5588	sc.exe
4640	sc.exe
5572	sc.exe
5880	sc.exe
6128	sc.exe
3148	sc.exe
5936	sc.exe
5824	sc.exe
5676	sc.exe
5560	sc.exe
5844	sc.exe
5288	sc.exe
5776	sc.exe
5280	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(7).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(8).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Robokits_USB_BT_18_ServoCon_Setup_V82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult(7).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult(4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ink.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5204	timeout.exe
6044	timeout.exe
4592	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6140	taskkill.exe
5476	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	wini.exe

NTFS ADS 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(8).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(7).exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5160	regedit.exe
5184	regedit.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5576	Azorult(7).exe
5348	rutserv.exe
5348	rutserv.exe
5348	rutserv.exe
5348	rutserv.exe
5348	rutserv.exe
5348	rutserv.exe
2840	rutserv.exe
2840	rutserv.exe
4372	rutserv.exe
4372	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
5124	rfusclient.exe
5124	rfusclient.exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe
5728	Azorult(4).exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
624	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	firefox.exe
Token: SeDebugPrivilege	2476	firefox.exe
Token: SeDebugPrivilege	5348	rutserv.exe
Token: SeDebugPrivilege	4372	rutserv.exe
Token: SeTakeOwnershipPrivilege	3768	rutserv.exe
Token: SeTcbPrivilege	3768	rutserv.exe
Token: SeDebugPrivilege	2476	firefox.exe
Token: SeDebugPrivilege	2476	firefox.exe
Token: SeDebugPrivilege	2476	firefox.exe
Token: SeTcbPrivilege	3768	rutserv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4468	irsetup.exe
4468	irsetup.exe
4468	irsetup.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
5576	Azorult(7).exe
5776	wini.exe
6060	winit.exe
5348	rutserv.exe
2840	rutserv.exe
4372	rutserv.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
3768	rutserv.exe
5616	cheat.exe
2476	firefox.exe
2476	firefox.exe
2476	firefox.exe
5728	Azorult(4).exe
5772	ink.exe
6028	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4468	4988	Robokits_USB_BT_18_ServoCon_Setup_V82.exe	72
PID 4988 wrote to memory of 4468	4988	Robokits_USB_BT_18_ServoCon_Setup_V82.exe	72
PID 4988 wrote to memory of 4468	4988	Robokits_USB_BT_18_ServoCon_Setup_V82.exe	72
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 3472 wrote to memory of 2476	3472	firefox.exe	75
PID 2476 wrote to memory of 656	2476	firefox.exe	76
PID 2476 wrote to memory of 656	2476	firefox.exe	76
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77
PID 2476 wrote to memory of 4376	2476	firefox.exe	77

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult(7).exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5520	attrib.exe
5532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe
"C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742706 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-4106386276-4127174233-3637007343-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.0.328520511\225315588" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1620 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bdb737f-842a-4fd6-a730-b36bdc08afc5} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 1764 282f96d7558 gpu
    3⤵
    PID:656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.1.1915866901\1319577917" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b488ba1d-d3fc-4f24-bd1f-8c753e8da8d3} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 2120 282e7370a58 socket
    3⤵
    PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.2.990987118\1759778170" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 2916 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a7fd13d-c1ed-4768-ac30-940158ce48f8} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 2892 282fd994158 tab
    3⤵
    PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.3.1198687850\16545944" -childID 2 -isForBrowser -prefsHandle 3016 -prefMapHandle 3024 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f107f4d5-e5f2-4793-954b-84f931b96ca7} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 3092 282e7362558 tab
    3⤵
    PID:336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.4.1145691244\375646531" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3806df0f-2e30-4049-9873-2a2d98aa9478} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4408 282fe77a158 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.5.67093019\1283840955" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef6aff8e-e24b-4f56-97c0-edf1cd0f6261} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4956 282fff5c858 tab
    3⤵
    PID:4288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.6.646623070\2058640377" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef5a6377-f860-4491-b1ad-01c102c091ff} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5088 282fff5f258 tab
    3⤵
    PID:4052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.7.870340819\967464502" -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261c320d-e11a-4bd0-9054-58497fe7a96e} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5256 28300b81858 tab
    3⤵
    PID:3016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.8.896831968\1099145170" -childID 7 -isForBrowser -prefsHandle 2476 -prefMapHandle 3864 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e0b7c2d-8de7-4aa6-98e0-4de4b21affc4} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5292 282f9c0f258 tab
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.9.348648463\1082654043" -childID 8 -isForBrowser -prefsHandle 5060 -prefMapHandle 4980 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {017c272a-4744-439b-9d39-a13b0aa8c301} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5048 282ffcb5258 tab
    3⤵
    PID:2856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.10.674710748\1392435718" -childID 9 -isForBrowser -prefsHandle 5028 -prefMapHandle 4560 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aa88621-aca5-4244-b055-e2af72703f4c} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5040 282ffddb658 tab
    3⤵
    PID:912
- - C:\Users\Admin\Downloads\Azorult(7).exe
    "C:\Users\Admin\Downloads\Azorult(7).exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Blocks application from running via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies WinLogon
    - Hide Artifacts: Hidden Users
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:5576
  - - C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5776
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        7⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5160
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        7⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5184
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5204
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5348
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5532
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5544
    - - C:\ProgramData\Windows\winit.exe
        
        "C:\ProgramData\Windows\winit.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6060
      - C:\Program Files (x86)\Windows Mail\WinMail.exe
        
        "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
        6⤵
        
        PID:5368
        
        C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        7⤵
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:6044
  - - C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5616
    - - C:\ProgramData\Microsoft\Intel\taskhost.exe
        
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6028
      - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        6⤵
        Executes dropped EXE
        
        PID:5172
      - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        6⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        7⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        8⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        
        PID:5476
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        
        PID:6140
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:4592
  - - C:\programdata\install\ink.exe
      C:\programdata\install\ink.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:5788
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:6112
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        Launches sc.exe
        
        PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:5356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        Launches sc.exe
        
        PID:5676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:5840
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:5880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:5892
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:5936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:5736
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:5996
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        
        PID:5776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:5976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:5964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        Launches sc.exe
        
        PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        Launches sc.exe
        
        PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:3632
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        Launches sc.exe
        
        PID:5320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:2072
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        Launches sc.exe
        
        PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        Launches sc.exe
        
        PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop AudioServer
      4⤵
      PID:5548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AudioServer
        5⤵
        Launches sc.exe
        
        PID:5148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AudioServer"
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AudioServer"
        5⤵
        Launches sc.exe
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:5536
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        Launches sc.exe
        
        PID:5260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        Launches sc.exe
        
        PID:5588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:5520
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:5784
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        
        PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:5736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:5348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:5616
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:6140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:5356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:5548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:5448
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:5792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:5644
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6056
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:3184
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:5528
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:6140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:5856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        
        PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:5176
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        
        PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:5212
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:3588
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2664
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:888
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:2492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:5144
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5968
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:5436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:5616
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Admin:(F)
        5⤵
        Modifies file permissions
        
        PID:6004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
      4⤵
      PID:640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Admin:(F)
        5⤵
        Modifies file permissions
        
        PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:6024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3020
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5804
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      PID:6060
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6072
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5988
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5912
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2408
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5496
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:232
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5132
- - C:\Users\Admin\Downloads\Azorult(4).exe
    "C:\Users\Admin\Downloads\Azorult(4).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5728

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5124
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    PID:6112
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\13467

Filesize
13KB

MD5
946fde0f299492c42151f070e6393e75

SHA1
04b581755cde9da3c8ba4eb91b9c7a8b8e037f6d

SHA256
07e3352b75e87caf16ec93dad73048b979f66b2e175ce19e3d1deeb047c117b4

SHA512
03b9f69802fab56f95c449eb1e0fcc8ce83c47492fa865f18c11f72205f52f80649cde956b6a4ae693f089210f183172ff773aaacf4226ac1865532299bc13c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21411

Filesize
62KB

MD5
451139a65ba19777de136e365a06e6dc

SHA1
1309aee2aa0d4d5c0be8d095fde3da2cfe15f094

SHA256
63a6992249f0ae927ad29b52c4b0e6effab2a824d076f8ba1df63992a3459ead

SHA512
807dea1be3bca2ccd05d70df172996a66d4b67f42b19bc5aaf1f9ed586e731843c01f5a9f36f2032b6aaa0610d3474f21c9048dd6b889df60f431088ba3b1276

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\25254

Filesize
13KB

MD5
65045609b25b6c9831242f60d7c2963d

SHA1
e96cbe4814bf788178c331b366c08157f22f7850

SHA256
281ced5288a112eca8f508009b1a0b65a356b48b8bed6fabb5cf18af91fd5017

SHA512
f431b10341725c02df6eae15d7e06a1bb72869712e1ed32974086de7d3739e2df1b9285da9624eecefc334264618eba4466eff40e29686a48dfadd2d05015c3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\8304

Filesize
13KB

MD5
2053c590ab1218408af3947adf45a909

SHA1
123d288c80e221eb47b325534b1cb5314f8b5593

SHA256
e81fbcab39d715feda3857de7de9061f8cb0c5fcff83d15b9497f930d552c88e

SHA512
c35e335f49dec7b46b9f9068cb4c40ec9c804b4c1c3cf455c04681f2c231420a18d62a0ab79082f5801e3d804793035101ae08e087b8690e24fb5dd959700603

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\003B9E0A2EAC56AAFE3116E93CC53920DFB930FE

Filesize
85KB

MD5
94694f2e102f319a71f2cfb4e571f50e

SHA1
5999ffcbe082c2469916c4c05b10f78c1fc5487a

SHA256
8ebebb753c29379118a5270047dd498993612b0e25287c80a027752e39addea0

SHA512
a89cbca0b41be76c29c15454cf3cb13262469d374c80e4c5bb65e0b9440d5db0a6aef4cfe5ac9e58c00a6d4d1e45b380154c5be6ad1a979f9b6fc3c78a6a5db4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\2791FC831FA81C53B4A8E99F723C6791FD8B47DA

Filesize
50KB

MD5
98e0ee5585166b9fcec16497ade20b55

SHA1
99c4adad884cf1c96d640321dd602e3050fc93b4

SHA256
38e9a632307e185105ad46f8a44f9f8f210a3394460946d4af9d4cf41ff99697

SHA512
245fd4af4ecc6151b6c65324136b798baeb09578b3ad2689404169dd1d67476f00990b1468bcdca24c7e67e8a8bc3f96568e7349ff22727b3f6bbfe656c6f8ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\2CEED65B80326C0EE6F5C8CECBDCF289C119BC7D

Filesize
94KB

MD5
08114bdaf40f230094e8921ab72eeb50

SHA1
e867863a1d3803ecab2deb3c62acfd4f22ab7510

SHA256
519332e5d5f55a28ecd0388d9694d35adea103356dc2694fb40d712e95da3c68

SHA512
5b32c4043f292d0d329c8b1b76dfad387dae8c8139104e490957c3b126c89f18b4189ab4b437541dd329a70dfa5d7edee5e4c459a5bc008368164f5b6dcb1c3b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6F56E93B4E08BC847CB93B94DF4759FBBEEF85A7

Filesize
65KB

MD5
d1f15edab67341e2c172adc9e144c941

SHA1
2ef31e996a1625a5ed5b4ae742c8887a52147671

SHA256
77372289ab9411836641881df64a056175e038de22b9264801e1d1b1d7a6e602

SHA512
51f91389da2e70157d1b8ff09946654193ede56906f26039605d408fb187a7d5ed164d5ce64da7f521875615d40147a636913a12f7a286063c0fe264284a6089

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\BFEF5B7F3B00F0A81ED1F7E43EA7F8DE07A9D010

Filesize
43KB

MD5
554ff2ba1d31e89d1f15f689d7812809

SHA1
d99e7bd01c03addc7f0f9d5d20d67e0dfb26367e

SHA256
0945179341fa04987d2ca85b049d2fec31187d70ad6563163dcc72a533c18269

SHA512
d35b7464a4505254d61f0049d24e5915195b56419daea8fe20410e3f3649a206e3f69d22df2096799cd65425bda4de6be452140afeaba2d16a623fe2400125c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C45EB0179CFFFC7B4CA1E522C371AA6043DFB334

Filesize
218KB

MD5
845bc7187e8db3479e95c0b62c1b5e2e

SHA1
91baef3af5c99ce62d127a492f00395a6c954668

SHA256
a4aec99fea64acaf6a7b4c8b0a0680e62e74b797a08f552d45523abf6ec24e0a

SHA512
985c99f00850691383626be04341c76ca26ad465b1a3296ee7cb1733f953ce06f0ff0204c6d9a734f91d6c9ec2782502391cd524380dd17cac100c452b6dc6d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\CBFB415A72A631B4C4F5CFAAA213F430321E2A32

Filesize
41KB

MD5
92742235097876e6280dc96c33474f9b

SHA1
4c8519193b730ac1252696e47f4cd23c3f318d03

SHA256
d55091b19c2b63e95af2f5f295d54992204fdec39ec14e5ddd7c67be08a6e990

SHA512
b884ee4eea6187457f5b6363517552eb1203ad3037625b1efcc9cf089b174e053e641bbc505a9d574003d70b9f318655d5d3c73b05c594efc8580ae7046862ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E43DA6CCFCDC1C6C880E605F3394FD464C3D5999

Filesize
60KB

MD5
9d2d42cbbdeb48ecd1127670d6f085c7

SHA1
a6667577eed7f4d992dd87580bc86e44997fd858

SHA256
ff6f048527eb247b556faea46a246aef7536ad518da3ab2c6472580186095cc3

SHA512
6c1a2663d5ce47e554456e5cd5f01f958fb8b52e7d44271d41844303b5078236921f6efb22dafd4fd10c10dd2e50db0d4df024e7b352724a9fa891f605ae9745

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
39KB

MD5
2645a538b61468d79fba90749d937018

SHA1
3a0fe87c38e68f6409c94e22c6eabd8bc00d9471

SHA256
a62468b864f83f14de0fe7d3e7dfa4698f88a76cd3ba5b75aae55401ab42bd08

SHA512
f8524afe36fa85d21040783970c0a2a7a70db5acc2c72e1bb179f81406b91dd2805939420daa1a0c9a046002049a86fbb8576caeaaadce4b1683a6b7f1f3b449

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\U8Ll5fF+pNs6NFvg86aXLw==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3DA0.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut90CC.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
048a166802e035cd4e4ac4c4784b6c48

SHA1
8542a634f4c11fd2d94d66df8cd31975a8e4b0ec

SHA256
a7315b0d5e945abc5c122eee5bff3c2e206f61bb0b1936ecde225a20e7699a4e

SHA512
c5be36c6484ed00eddb7d40cab9cfc095191991b9a24cf740040f30b99604b90a32746c9f697766e15d15e43061a2b4d3456caff3dbe075a77859c1812425150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5b38f3bc-b77a-42f1-b10e-c3b1da501989

Filesize
746B

MD5
bef87b2237998fb084d12ac2809770e7

SHA1
1cf0610a5db5f620188ccab4d743bfff743d4681

SHA256
58b32532459df5ed4eddc8d43468903ae6cb4ab90be8abd508a5a8ec1a9dab71

SHA512
efcffbea04958c028b7b38cf9597b3734c1da53f9935993ac14f0076dda97fb6476f9c080d296f7c800363d3101b28bc0703d1f4e99b5b4ffd8ed72c173cf266

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b59ffcb1-ba6d-4c3b-9678-b9f467e3e542

Filesize
10KB

MD5
f9468c7d471992a466a5a5413c5ef8fd

SHA1
371e7ee8a5eaa9eac4358d558c960b72c0218b19

SHA256
4aa7017b8a41d3ac8dc49c50494d7b99f4475f39191baff1ed9c95ddeef30d7d

SHA512
0e9d0861ca2253bd8ea23295d9369229d13e1923ae3e333eb85eae11d50fe00e6515c623eeb793ec41f6abbb2f9bbc440d9eb817468388b29841f9e7275e1412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
39a2ca301395a2b2c2775b466812c035

SHA1
e655d29393500bbc93dd4c801ca7efdc2403f839

SHA256
3331d14588f94a6037a2b91f64dd0f826dfdd4b72ecb77108cbdd2def4c98659

SHA512
2daf0cb40ce872f661ba89ae283f5e304c53477a37cd532d9291a2513f2c8f3cee0ec5b39e20f3e14c895cffcbe574a07edd1f6d5a0a38a88a287079a0359651

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
869faf83196fbb5189df6fe1ee6157eb

SHA1
663903cde5096ebddcd1a4364b239ec3e4f25df4

SHA256
8460f002ade3eeeeef32d738f09b18865a6d031eae0c353813b9e769c4c3c14a

SHA512
1086dbc6996312e417adde9806678cc3546af310d53d561e1f9dc4b141594522b4c3562accb8adae26b8241f4c78c40daf5ecf2539af503d999b52695d596b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
c81d309bba9b570e6358ebd3545c8ada

SHA1
5d46bfee24ebc833df7acdc29cdcae88d1285825

SHA256
4bafe45ff64e5edf05190ed764c2da1c44b73e2d20d392292d4ff371284022c2

SHA512
25b85aad8f7b3987dd0d73a45ef3c1098e70f2e0706909494a9894b70f3ea13b82cbfc73077c2e1224cf5be79c9c680e4ed8e10a3a568020ca542481e003ba2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
ea2996e5f730005127b32eadfd68bfc7

SHA1
c72165c85b2a9de02d7054ee4fb3b35206c5c6b1

SHA256
a00f10df0981d75f5e3148b4163734d8b516227fdcffae3724cde44f3ce3c289

SHA512
7ede8d674d0d6fdc2ed095a18101e849d5dc89eddb4058103633c958e0a2063a99c927108fd48c853e60902a4b5eae911e20036c21537f6e18faeee27ab2c65b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
3a8fc245037e591883918c40b4d8dabf

SHA1
c21a4edc6d2847b6b284a9148bbc4d7b210498b7

SHA256
f3dc079b1709ba4ad5da3465b6e6285e865c01376935c843d59d0efd71078af3

SHA512
ac4285cc47852a43f6a94671e47122ccc82c51da4c7a327c2850d6e17ba3a8c9f71ffeadf627fdf9afd8d9378aa3b0c226970e0fb37a21bd919b03a41158846f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
fcef4db1b2f7ca77308380081725ac7a

SHA1
433c2bf59650832cc53e060d1f91097b3bef1518

SHA256
5fa3e6493d6ece3c3b8e53ccab043f5e73a8d0bb9c2ec7ac90220e144ec884e3

SHA512
7e0f5dba05bd63776e60770eeaf098cf1a372765933ada59ecb3cfe4e15bab564fb5b1496651587c6915fdee55422a66d510ee328a23ea94742271b9df01867d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e37e20b6ec30e22d7816ff45c11748a9

SHA1
4bce04dfff013a32be3ea477e36640fa4763ffb9

SHA256
ce8622fead3e0058c2060f2b5d3989b031d85d4d6ff112de6023f41f4c09b04c

SHA512
a9ac464a77d5a78a5a00763f21770b1322ffa7499826f1ef4583945a8d7eec7a04ae5ef8b0d3a6788588e521fb7b720905351cc05a513a9b1d8a68f38519d6cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
19b4eeaafff1e99da4800009da0ff525

SHA1
37a37f4facd0526b0a4b36bfafc307a1800646c5

SHA256
951b5cfd7bb3ff3388b391058c17dbba424a6696252cd2d730326489c455682c

SHA512
fd943feb6ac8ba2079817015bec9e5cdc306ef085aee1a6baef13991bc5816cf8182e783039af33aa53cb871dbc9d640a58f67b8fcbd346e6936732a55368106

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6d61cb821e6bfa005b52d20584d1bd34

SHA1
2fd8bb963854546951b37476d5dffd83e8a609ca

SHA256
7eefa31aaa969f65289bcf0ab115ca7fe9c9fdc341297abb82c3f3ffc03d4295

SHA512
a1cfc22896a2d60cc5379d9e64d76a9f8881f7e702785a07b6f55feb82ffe2379882ebfbc545c40d91ffe67ee5f9ee544e916d75e6c34986b75634289468cefb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
f4a4037f3d7dfdd02be1b446f5863fd0

SHA1
c9660f89eb1cbdbcec847f15b2f80b7b927e9e81

SHA256
3018b71387ac9e19b260688e53889fec0ab00ec8053be746cc8d31a1a94d5e45

SHA512
4de72967182768fb2fd39a0083e2620aa7124baf882716675acfa639b792480d4ef74d26dbb93474d160afd806e4db664452372151dc36e19363fd64bbba81f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7576af389c4746c4c7967f6d23e2e2e1

SHA1
77d736cbeb307aba71391d0292eb6e48d2abfa18

SHA256
e09d415c3b655c5d867394952426c7d96dde26972e3424542f16ebac43716667

SHA512
22fba53c838aad81fb8ecb2740aba95b41d40c371ac0e12b4776aceaa9a5e6c875415706b77f40a946ddca31292bb3339f834497ef4ab696eb9ed5e1905c2aa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
3f469152a0b931c618c74f9a522d60a4

SHA1
7dabb24c3d3b5814df9d53b7736d8a42399f7b33

SHA256
2bb0dd8ca7a8186ce101daac386412e0a5bb7936d68220e99855299612c0775b

SHA512
fa656f9fe67ac23a9246bccd4a79eb9035f3e4a2b58a3432ccb817994b2c2b8f7d066e1a76b4a9cfc85141b8022d0e51534eae4b0ceeacefcd8016c44bf3adc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
9a75a5036253d5d3bf62143d659ea00c

SHA1
6fa03071ea30ce6c1f7fef7ff0218c1e14be2a00

SHA256
3b9f9890ac3d383672dbaa3699cb9139f93ecfc0b017400a1f3e1c4d2f294597

SHA512
2979a939fe2615e3adb1e1257bbfbd07aeb356d67b4c372304238ff72d982147aabac337f35d10205f71c956ce6ac368bab365caf8e184ddea2760d5c6806a05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e7d901ad03d22078f4c42ecc83c3bd45

SHA1
13ffe2ced2026e6b99c39a96d006c7832a72ba17

SHA256
fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

SHA512
8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

Download Submit
C:\Users\Admin\Downloads\-LG0M6YA.exe.part

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\Azorult(7).exe

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Azorult.xJ1DfA6v.exe.part

Filesize
9KB

MD5
a7267ea62be1b55561d72a74f8411f2a

SHA1
bbe49b6e7a8fabc71b69b2a292a27fd48eedea4a

SHA256
815ff6ba14611c9b7b5546d529d78d5232d0466cce4f39ae5ffec8d712123c6f

SHA512
abc17bbbb808133128ca2014a1ebe7fbe26ece19d35af94897af99c36cbc5410640b767ca7cafa5fbbc8b7d963e6cf622d60125351c2e309388139c40237db46

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
C:\programdata\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\programdata\microsoft\intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
memory/2840-930-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-936-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-929-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-933-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-932-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-934-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2840-931-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-954-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-952-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-953-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-949-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-951-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1098-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-950-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-990-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-940-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-941-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-943-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-938-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-939-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4372-942-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4468-113-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4468-6-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/5124-975-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-1099-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-988-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-989-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-980-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-979-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5124-976-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-977-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-978-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-972-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-971-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-1100-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5208-973-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5348-922-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-920-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-921-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-925-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-924-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-927-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5348-923-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5772-1025-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6112-1035-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1034-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1033-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1032-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1031-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1037-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-1030-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download