Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
06/08/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Robokits_USB_BT_18_ServoCon_Setup_V82.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Robokits_USB_BT_18_ServoCon_Setup_V82.exe
Resource
win10v2004-20240802-en
General
-
Target
Robokits_USB_BT_18_ServoCon_Setup_V82.exe
-
Size
3.1MB
-
MD5
e0017606ff7935c846769b617a522c90
-
SHA1
ccbc102781a64f7936310e8f25028101ac3ff353
-
SHA256
0226f723ff835d0b46269c1b896fa18fef0a8ed24dc3c72872dcf4cb45be90f9
-
SHA512
b904262e8eea28f2229f6b670cf0240314626a8736aa90ed86f7c254cbe461190f1ba0976794b08dd11242b577c29bf3b2d5d767d910ad48889697a0e0cc34c5
-
SSDEEP
49152:sN26FOnzGn6LJvqkwnpC+mWd6uIcc+vo7dP6dF/WPxDz0peWUiz8ahxkYu:s06FOznLo0+Dd6uxc+vqYdF/WPxDIXxI
Malware Config
Extracted
azorult
http://boglogov.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult(7).exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult(7).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult(7).exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult(7).exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult(7).exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 21 IoCs
pid Process 5856 netsh.exe 5548 netsh.exe 4064 netsh.exe 5360 netsh.exe 5300 netsh.exe 5884 netsh.exe 6140 netsh.exe 5784 netsh.exe 5240 netsh.exe 5780 netsh.exe 5956 netsh.exe 5320 netsh.exe 2652 netsh.exe 5348 netsh.exe 2636 netsh.exe 6140 netsh.exe 6072 netsh.exe 1008 netsh.exe 5620 netsh.exe 5552 netsh.exe 4608 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000700000001ad58-958.dat acprotect behavioral1/files/0x000700000001ad57-955.dat acprotect -
resource yara_rule behavioral1/files/0x000700000001ad55-918.dat aspack_v212_v242 behavioral1/files/0x000c00000001ad4f-959.dat aspack_v212_v242 -
Executes dropped EXE 15 IoCs
pid Process 4468 irsetup.exe 5576 Azorult(7).exe 5776 wini.exe 6060 winit.exe 5348 rutserv.exe 2840 rutserv.exe 4372 rutserv.exe 3768 rutserv.exe 5124 rfusclient.exe 5208 rfusclient.exe 5616 cheat.exe 5728 Azorult(4).exe 5772 ink.exe 6028 taskhost.exe 5172 P.exe -
Loads dropped DLL 1 IoCs
pid Process 4468 irsetup.exe -
Modifies file permissions 1 TTPs 35 IoCs
pid Process 2616 icacls.exe 5148 icacls.exe 4568 icacls.exe 2172 icacls.exe 4648 icacls.exe 2744 icacls.exe 2512 icacls.exe 4800 icacls.exe 5132 icacls.exe 5840 icacls.exe 6004 icacls.exe 5504 icacls.exe 5316 icacls.exe 5736 icacls.exe 5852 icacls.exe 5272 icacls.exe 4064 icacls.exe 2440 icacls.exe 2672 icacls.exe 4632 icacls.exe 984 icacls.exe 3984 icacls.exe 5256 icacls.exe 4008 icacls.exe 6008 icacls.exe 3324 icacls.exe 6072 icacls.exe 3204 icacls.exe 6084 icacls.exe 1712 icacls.exe 4220 icacls.exe 3364 icacls.exe 5568 icacls.exe 5340 icacls.exe 5148 icacls.exe -
resource yara_rule behavioral1/files/0x000800000001ac15-4.dat upx behavioral1/memory/4468-6-0x0000000000400000-0x00000000007CB000-memory.dmp upx behavioral1/memory/4468-113-0x0000000000400000-0x00000000007CB000-memory.dmp upx behavioral1/files/0x000700000001ad58-958.dat upx behavioral1/files/0x000700000001ad57-955.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(7).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 116 raw.githubusercontent.com 121 raw.githubusercontent.com 113 raw.githubusercontent.com 114 raw.githubusercontent.com 115 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 141 ip-api.com -
Modifies WinLogon 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult(7).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(7).exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult(7).exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(7).exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000800000001ad46-825.dat autoit_exe behavioral1/files/0x000700000001ad56-894.dat autoit_exe behavioral1/files/0x000700000001ad67-1021.dat autoit_exe -
Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(7).exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6056 sc.exe 5356 sc.exe 6092 sc.exe 5964 sc.exe 5560 sc.exe 5280 sc.exe 5544 sc.exe 5320 sc.exe 5148 sc.exe 5260 sc.exe 5588 sc.exe 4640 sc.exe 5572 sc.exe 5880 sc.exe 6128 sc.exe 3148 sc.exe 5936 sc.exe 5824 sc.exe 5676 sc.exe 5560 sc.exe 5844 sc.exe 5288 sc.exe 5776 sc.exe 5280 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(7).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(8).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Robokits_USB_BT_18_ServoCon_Setup_V82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azorult(7).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azorult(4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ink.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cheat.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 5204 timeout.exe 6044 timeout.exe 4592 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 6140 taskkill.exe 5476 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings wini.exe -
NTFS ADS 10 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Azorult(3).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(4).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(6).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(8).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(5).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(2).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(7).exe:Zone.Identifier firefox.exe -
Runs .reg file with regedit 2 IoCs
pid Process 5160 regedit.exe 5184 regedit.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5576 Azorult(7).exe 5348 rutserv.exe 5348 rutserv.exe 5348 rutserv.exe 5348 rutserv.exe 5348 rutserv.exe 5348 rutserv.exe 2840 rutserv.exe 2840 rutserv.exe 4372 rutserv.exe 4372 rutserv.exe 3768 rutserv.exe 3768 rutserv.exe 3768 rutserv.exe 3768 rutserv.exe 3768 rutserv.exe 3768 rutserv.exe 5124 rfusclient.exe 5124 rfusclient.exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe 5728 Azorult(4).exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 624 Process not Found -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2476 firefox.exe Token: SeDebugPrivilege 2476 firefox.exe Token: SeDebugPrivilege 5348 rutserv.exe Token: SeDebugPrivilege 4372 rutserv.exe Token: SeTakeOwnershipPrivilege 3768 rutserv.exe Token: SeTcbPrivilege 3768 rutserv.exe Token: SeDebugPrivilege 2476 firefox.exe Token: SeDebugPrivilege 2476 firefox.exe Token: SeDebugPrivilege 2476 firefox.exe Token: SeTcbPrivilege 3768 rutserv.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4468 irsetup.exe 4468 irsetup.exe 4468 irsetup.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 5576 Azorult(7).exe 5776 wini.exe 6060 winit.exe 5348 rutserv.exe 2840 rutserv.exe 4372 rutserv.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 3768 rutserv.exe 5616 cheat.exe 2476 firefox.exe 2476 firefox.exe 2476 firefox.exe 5728 Azorult(4).exe 5772 ink.exe 6028 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 4468 4988 Robokits_USB_BT_18_ServoCon_Setup_V82.exe 72 PID 4988 wrote to memory of 4468 4988 Robokits_USB_BT_18_ServoCon_Setup_V82.exe 72 PID 4988 wrote to memory of 4468 4988 Robokits_USB_BT_18_ServoCon_Setup_V82.exe 72 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 3472 wrote to memory of 2476 3472 firefox.exe 75 PID 2476 wrote to memory of 656 2476 firefox.exe 76 PID 2476 wrote to memory of 656 2476 firefox.exe 76 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 PID 2476 wrote to memory of 4376 2476 firefox.exe 77 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(7).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult(7).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult(7).exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5520 attrib.exe 5532 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe"C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742706 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Robokits_USB_BT_18_ServoCon_Setup_V82.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-4106386276-4127174233-3637007343-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.0.328520511\225315588" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1620 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bdb737f-842a-4fd6-a730-b36bdc08afc5} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 1764 282f96d7558 gpu3⤵PID:656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.1.1915866901\1319577917" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b488ba1d-d3fc-4f24-bd1f-8c753e8da8d3} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 2120 282e7370a58 socket3⤵PID:4376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.2.990987118\1759778170" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 2916 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a7fd13d-c1ed-4768-ac30-940158ce48f8} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 2892 282fd994158 tab3⤵PID:3044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.3.1198687850\16545944" -childID 2 -isForBrowser -prefsHandle 3016 -prefMapHandle 3024 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f107f4d5-e5f2-4793-954b-84f931b96ca7} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 3092 282e7362558 tab3⤵PID:336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.4.1145691244\375646531" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3806df0f-2e30-4049-9873-2a2d98aa9478} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4408 282fe77a158 tab3⤵PID:4428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.5.67093019\1283840955" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef6aff8e-e24b-4f56-97c0-edf1cd0f6261} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4956 282fff5c858 tab3⤵PID:4288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.6.646623070\2058640377" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef5a6377-f860-4491-b1ad-01c102c091ff} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5088 282fff5f258 tab3⤵PID:4052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.7.870340819\967464502" -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261c320d-e11a-4bd0-9054-58497fe7a96e} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5256 28300b81858 tab3⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.8.896831968\1099145170" -childID 7 -isForBrowser -prefsHandle 2476 -prefMapHandle 3864 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e0b7c2d-8de7-4aa6-98e0-4de4b21affc4} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5292 282f9c0f258 tab3⤵PID:4408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.9.348648463\1082654043" -childID 8 -isForBrowser -prefsHandle 5060 -prefMapHandle 4980 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {017c272a-4744-439b-9d39-a13b0aa8c301} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5048 282ffcb5258 tab3⤵PID:2856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.10.674710748\1392435718" -childID 9 -isForBrowser -prefsHandle 5028 -prefMapHandle 4560 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aa88621-aca5-4244-b055-e2af72703f4c} 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 5040 282ffddb658 tab3⤵PID:912
-
-
C:\Users\Admin\Downloads\Azorult(7).exe"C:\Users\Admin\Downloads\Azorult(7).exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5576 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5776 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"7⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:5160
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"7⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:5184
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5204
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5348
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4372
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5520
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5532
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10007⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5572
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5544
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6060 -
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE6⤵PID:5368
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE7⤵PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat6⤵PID:5916
-
C:\Windows\SysWOW64\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:6044
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5616 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6028 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe6⤵
- Executes dropped EXE
PID:5172
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe6⤵PID:5508
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"7⤵PID:5488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "8⤵PID:2636
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe9⤵
- Kills process with taskkill
PID:5476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe9⤵
- Kills process with taskkill
PID:6140
-
-
C:\Windows\SysWOW64\timeout.exetimeout 39⤵
- Delays execution with timeout.exe
PID:4592
-
-
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵PID:6112
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
- Launches sc.exe
PID:5280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵PID:5244
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
- Launches sc.exe
PID:5356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵PID:5316
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
- Launches sc.exe
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵PID:2488
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
- Launches sc.exe
PID:5824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵PID:5840
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
- Launches sc.exe
PID:5880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵PID:5892
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
PID:5936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵PID:5736
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
PID:6092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵PID:5996
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
- Launches sc.exe
PID:5776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵PID:5976
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
- Launches sc.exe
PID:5964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵PID:5972
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
- Launches sc.exe
PID:5280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵PID:6116
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
- Launches sc.exe
PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵PID:3632
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
- Launches sc.exe
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵PID:2072
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
- Launches sc.exe
PID:5288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵PID:5244
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
- Launches sc.exe
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer4⤵PID:5548
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer5⤵
- Launches sc.exe
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"4⤵PID:5136
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"5⤵
- Launches sc.exe
PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵PID:5536
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
- Launches sc.exe
PID:5260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵PID:5316
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
- Launches sc.exe
PID:5588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵PID:5520
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
- Launches sc.exe
PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵PID:5760
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
- Launches sc.exe
PID:6128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵PID:5784
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
- Modifies Windows Firewall
PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵PID:5736
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:5348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵PID:5616
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵PID:5972
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:6140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵PID:5356
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵PID:2216
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵PID:5448
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵PID:2488
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵PID:5324
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵PID:3148
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵PID:5792
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:6072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵PID:5644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:6056
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵PID:3184
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵PID:5612
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵PID:4064
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵PID:5528
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:6140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵PID:5856
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵PID:4952
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
- Modifies Windows Firewall
PID:5884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵PID:5864
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
- Modifies Windows Firewall
PID:5300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵PID:5132
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
- Modifies Windows Firewall
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵PID:5176
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
- Modifies Windows Firewall
PID:5552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)4⤵PID:5128
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵PID:5212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)4⤵PID:4012
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵PID:3588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)4⤵PID:2664
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵PID:4660
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)4⤵PID:888
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵PID:2492
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)4⤵PID:1732
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵PID:5144
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)4⤵PID:5968
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵PID:5436
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)4⤵PID:4452
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵PID:2256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)4⤵PID:5820
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵PID:5616
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)4⤵PID:1712
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)5⤵
- Modifies file permissions
PID:6004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵PID:5864
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
PID:5504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)4⤵PID:640
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)5⤵
- Modifies file permissions
PID:4568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵PID:6024
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
- Modifies file permissions
PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)4⤵PID:3020
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵PID:1832
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)4⤵PID:5804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵PID:6060
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)4⤵PID:6072
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)4⤵PID:6132
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)4⤵PID:4012
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵PID:5368
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)4⤵PID:5988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)4⤵PID:5912
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵PID:5972
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)4⤵PID:2408
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)4⤵PID:5496
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)4⤵PID:232
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵PID:4008
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5132
-
-
-
-
C:\Users\Admin\Downloads\Azorult(4).exe"C:\Users\Admin\Downloads\Azorult(4).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5728
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5124 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵PID:6112
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5208
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
887KB
MD5ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
13KB
MD5946fde0f299492c42151f070e6393e75
SHA104b581755cde9da3c8ba4eb91b9c7a8b8e037f6d
SHA25607e3352b75e87caf16ec93dad73048b979f66b2e175ce19e3d1deeb047c117b4
SHA51203b9f69802fab56f95c449eb1e0fcc8ce83c47492fa865f18c11f72205f52f80649cde956b6a4ae693f089210f183172ff773aaacf4226ac1865532299bc13c5
-
Filesize
62KB
MD5451139a65ba19777de136e365a06e6dc
SHA11309aee2aa0d4d5c0be8d095fde3da2cfe15f094
SHA25663a6992249f0ae927ad29b52c4b0e6effab2a824d076f8ba1df63992a3459ead
SHA512807dea1be3bca2ccd05d70df172996a66d4b67f42b19bc5aaf1f9ed586e731843c01f5a9f36f2032b6aaa0610d3474f21c9048dd6b889df60f431088ba3b1276
-
Filesize
13KB
MD565045609b25b6c9831242f60d7c2963d
SHA1e96cbe4814bf788178c331b366c08157f22f7850
SHA256281ced5288a112eca8f508009b1a0b65a356b48b8bed6fabb5cf18af91fd5017
SHA512f431b10341725c02df6eae15d7e06a1bb72869712e1ed32974086de7d3739e2df1b9285da9624eecefc334264618eba4466eff40e29686a48dfadd2d05015c3e
-
Filesize
13KB
MD52053c590ab1218408af3947adf45a909
SHA1123d288c80e221eb47b325534b1cb5314f8b5593
SHA256e81fbcab39d715feda3857de7de9061f8cb0c5fcff83d15b9497f930d552c88e
SHA512c35e335f49dec7b46b9f9068cb4c40ec9c804b4c1c3cf455c04681f2c231420a18d62a0ab79082f5801e3d804793035101ae08e087b8690e24fb5dd959700603
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\003B9E0A2EAC56AAFE3116E93CC53920DFB930FE
Filesize85KB
MD594694f2e102f319a71f2cfb4e571f50e
SHA15999ffcbe082c2469916c4c05b10f78c1fc5487a
SHA2568ebebb753c29379118a5270047dd498993612b0e25287c80a027752e39addea0
SHA512a89cbca0b41be76c29c15454cf3cb13262469d374c80e4c5bb65e0b9440d5db0a6aef4cfe5ac9e58c00a6d4d1e45b380154c5be6ad1a979f9b6fc3c78a6a5db4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\2791FC831FA81C53B4A8E99F723C6791FD8B47DA
Filesize50KB
MD598e0ee5585166b9fcec16497ade20b55
SHA199c4adad884cf1c96d640321dd602e3050fc93b4
SHA25638e9a632307e185105ad46f8a44f9f8f210a3394460946d4af9d4cf41ff99697
SHA512245fd4af4ecc6151b6c65324136b798baeb09578b3ad2689404169dd1d67476f00990b1468bcdca24c7e67e8a8bc3f96568e7349ff22727b3f6bbfe656c6f8ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\2CEED65B80326C0EE6F5C8CECBDCF289C119BC7D
Filesize94KB
MD508114bdaf40f230094e8921ab72eeb50
SHA1e867863a1d3803ecab2deb3c62acfd4f22ab7510
SHA256519332e5d5f55a28ecd0388d9694d35adea103356dc2694fb40d712e95da3c68
SHA5125b32c4043f292d0d329c8b1b76dfad387dae8c8139104e490957c3b126c89f18b4189ab4b437541dd329a70dfa5d7edee5e4c459a5bc008368164f5b6dcb1c3b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6F56E93B4E08BC847CB93B94DF4759FBBEEF85A7
Filesize65KB
MD5d1f15edab67341e2c172adc9e144c941
SHA12ef31e996a1625a5ed5b4ae742c8887a52147671
SHA25677372289ab9411836641881df64a056175e038de22b9264801e1d1b1d7a6e602
SHA51251f91389da2e70157d1b8ff09946654193ede56906f26039605d408fb187a7d5ed164d5ce64da7f521875615d40147a636913a12f7a286063c0fe264284a6089
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\BFEF5B7F3B00F0A81ED1F7E43EA7F8DE07A9D010
Filesize43KB
MD5554ff2ba1d31e89d1f15f689d7812809
SHA1d99e7bd01c03addc7f0f9d5d20d67e0dfb26367e
SHA2560945179341fa04987d2ca85b049d2fec31187d70ad6563163dcc72a533c18269
SHA512d35b7464a4505254d61f0049d24e5915195b56419daea8fe20410e3f3649a206e3f69d22df2096799cd65425bda4de6be452140afeaba2d16a623fe2400125c0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C45EB0179CFFFC7B4CA1E522C371AA6043DFB334
Filesize218KB
MD5845bc7187e8db3479e95c0b62c1b5e2e
SHA191baef3af5c99ce62d127a492f00395a6c954668
SHA256a4aec99fea64acaf6a7b4c8b0a0680e62e74b797a08f552d45523abf6ec24e0a
SHA512985c99f00850691383626be04341c76ca26ad465b1a3296ee7cb1733f953ce06f0ff0204c6d9a734f91d6c9ec2782502391cd524380dd17cac100c452b6dc6d1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\CBFB415A72A631B4C4F5CFAAA213F430321E2A32
Filesize41KB
MD592742235097876e6280dc96c33474f9b
SHA14c8519193b730ac1252696e47f4cd23c3f318d03
SHA256d55091b19c2b63e95af2f5f295d54992204fdec39ec14e5ddd7c67be08a6e990
SHA512b884ee4eea6187457f5b6363517552eb1203ad3037625b1efcc9cf089b174e053e641bbc505a9d574003d70b9f318655d5d3c73b05c594efc8580ae7046862ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E43DA6CCFCDC1C6C880E605F3394FD464C3D5999
Filesize60KB
MD59d2d42cbbdeb48ecd1127670d6f085c7
SHA1a6667577eed7f4d992dd87580bc86e44997fd858
SHA256ff6f048527eb247b556faea46a246aef7536ad518da3ab2c6472580186095cc3
SHA5126c1a2663d5ce47e554456e5cd5f01f958fb8b52e7d44271d41844303b5078236921f6efb22dafd4fd10c10dd2e50db0d4df024e7b352724a9fa891f605ae9745
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC
Filesize39KB
MD52645a538b61468d79fba90749d937018
SHA13a0fe87c38e68f6409c94e22c6eabd8bc00d9471
SHA256a62468b864f83f14de0fe7d3e7dfa4698f88a76cd3ba5b75aae55401ab42bd08
SHA512f8524afe36fa85d21040783970c0a2a7a70db5acc2c72e1bb179f81406b91dd2805939420daa1a0c9a046002049a86fbb8576caeaaadce4b1683a6b7f1f3b449
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\U8Ll5fF+pNs6NFvg86aXLw==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
1.3MB
MD5dec931e86140139380ea0df57cd132b6
SHA1b717fd548382064189c16cb94dda28b1967a5712
SHA2565ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9
SHA51214d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5048a166802e035cd4e4ac4c4784b6c48
SHA18542a634f4c11fd2d94d66df8cd31975a8e4b0ec
SHA256a7315b0d5e945abc5c122eee5bff3c2e206f61bb0b1936ecde225a20e7699a4e
SHA512c5be36c6484ed00eddb7d40cab9cfc095191991b9a24cf740040f30b99604b90a32746c9f697766e15d15e43061a2b4d3456caff3dbe075a77859c1812425150
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5b38f3bc-b77a-42f1-b10e-c3b1da501989
Filesize746B
MD5bef87b2237998fb084d12ac2809770e7
SHA11cf0610a5db5f620188ccab4d743bfff743d4681
SHA25658b32532459df5ed4eddc8d43468903ae6cb4ab90be8abd508a5a8ec1a9dab71
SHA512efcffbea04958c028b7b38cf9597b3734c1da53f9935993ac14f0076dda97fb6476f9c080d296f7c800363d3101b28bc0703d1f4e99b5b4ffd8ed72c173cf266
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b59ffcb1-ba6d-4c3b-9678-b9f467e3e542
Filesize10KB
MD5f9468c7d471992a466a5a5413c5ef8fd
SHA1371e7ee8a5eaa9eac4358d558c960b72c0218b19
SHA2564aa7017b8a41d3ac8dc49c50494d7b99f4475f39191baff1ed9c95ddeef30d7d
SHA5120e9d0861ca2253bd8ea23295d9369229d13e1923ae3e333eb85eae11d50fe00e6515c623eeb793ec41f6abbb2f9bbc440d9eb817468388b29841f9e7275e1412
-
Filesize
6KB
MD539a2ca301395a2b2c2775b466812c035
SHA1e655d29393500bbc93dd4c801ca7efdc2403f839
SHA2563331d14588f94a6037a2b91f64dd0f826dfdd4b72ecb77108cbdd2def4c98659
SHA5122daf0cb40ce872f661ba89ae283f5e304c53477a37cd532d9291a2513f2c8f3cee0ec5b39e20f3e14c895cffcbe574a07edd1f6d5a0a38a88a287079a0359651
-
Filesize
6KB
MD5869faf83196fbb5189df6fe1ee6157eb
SHA1663903cde5096ebddcd1a4364b239ec3e4f25df4
SHA2568460f002ade3eeeeef32d738f09b18865a6d031eae0c353813b9e769c4c3c14a
SHA5121086dbc6996312e417adde9806678cc3546af310d53d561e1f9dc4b141594522b4c3562accb8adae26b8241f4c78c40daf5ecf2539af503d999b52695d596b7e
-
Filesize
6KB
MD5c81d309bba9b570e6358ebd3545c8ada
SHA15d46bfee24ebc833df7acdc29cdcae88d1285825
SHA2564bafe45ff64e5edf05190ed764c2da1c44b73e2d20d392292d4ff371284022c2
SHA51225b85aad8f7b3987dd0d73a45ef3c1098e70f2e0706909494a9894b70f3ea13b82cbfc73077c2e1224cf5be79c9c680e4ed8e10a3a568020ca542481e003ba2b
-
Filesize
6KB
MD5ea2996e5f730005127b32eadfd68bfc7
SHA1c72165c85b2a9de02d7054ee4fb3b35206c5c6b1
SHA256a00f10df0981d75f5e3148b4163734d8b516227fdcffae3724cde44f3ce3c289
SHA5127ede8d674d0d6fdc2ed095a18101e849d5dc89eddb4058103633c958e0a2063a99c927108fd48c853e60902a4b5eae911e20036c21537f6e18faeee27ab2c65b
-
Filesize
6KB
MD53a8fc245037e591883918c40b4d8dabf
SHA1c21a4edc6d2847b6b284a9148bbc4d7b210498b7
SHA256f3dc079b1709ba4ad5da3465b6e6285e865c01376935c843d59d0efd71078af3
SHA512ac4285cc47852a43f6a94671e47122ccc82c51da4c7a327c2850d6e17ba3a8c9f71ffeadf627fdf9afd8d9378aa3b0c226970e0fb37a21bd919b03a41158846f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5fcef4db1b2f7ca77308380081725ac7a
SHA1433c2bf59650832cc53e060d1f91097b3bef1518
SHA2565fa3e6493d6ece3c3b8e53ccab043f5e73a8d0bb9c2ec7ac90220e144ec884e3
SHA5127e0f5dba05bd63776e60770eeaf098cf1a372765933ada59ecb3cfe4e15bab564fb5b1496651587c6915fdee55422a66d510ee328a23ea94742271b9df01867d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5e37e20b6ec30e22d7816ff45c11748a9
SHA14bce04dfff013a32be3ea477e36640fa4763ffb9
SHA256ce8622fead3e0058c2060f2b5d3989b031d85d4d6ff112de6023f41f4c09b04c
SHA512a9ac464a77d5a78a5a00763f21770b1322ffa7499826f1ef4583945a8d7eec7a04ae5ef8b0d3a6788588e521fb7b720905351cc05a513a9b1d8a68f38519d6cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD519b4eeaafff1e99da4800009da0ff525
SHA137a37f4facd0526b0a4b36bfafc307a1800646c5
SHA256951b5cfd7bb3ff3388b391058c17dbba424a6696252cd2d730326489c455682c
SHA512fd943feb6ac8ba2079817015bec9e5cdc306ef085aee1a6baef13991bc5816cf8182e783039af33aa53cb871dbc9d640a58f67b8fcbd346e6936732a55368106
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD56d61cb821e6bfa005b52d20584d1bd34
SHA12fd8bb963854546951b37476d5dffd83e8a609ca
SHA2567eefa31aaa969f65289bcf0ab115ca7fe9c9fdc341297abb82c3f3ffc03d4295
SHA512a1cfc22896a2d60cc5379d9e64d76a9f8881f7e702785a07b6f55feb82ffe2379882ebfbc545c40d91ffe67ee5f9ee544e916d75e6c34986b75634289468cefb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5f4a4037f3d7dfdd02be1b446f5863fd0
SHA1c9660f89eb1cbdbcec847f15b2f80b7b927e9e81
SHA2563018b71387ac9e19b260688e53889fec0ab00ec8053be746cc8d31a1a94d5e45
SHA5124de72967182768fb2fd39a0083e2620aa7124baf882716675acfa639b792480d4ef74d26dbb93474d160afd806e4db664452372151dc36e19363fd64bbba81f9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD57576af389c4746c4c7967f6d23e2e2e1
SHA177d736cbeb307aba71391d0292eb6e48d2abfa18
SHA256e09d415c3b655c5d867394952426c7d96dde26972e3424542f16ebac43716667
SHA51222fba53c838aad81fb8ecb2740aba95b41d40c371ac0e12b4776aceaa9a5e6c875415706b77f40a946ddca31292bb3339f834497ef4ab696eb9ed5e1905c2aa1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD53f469152a0b931c618c74f9a522d60a4
SHA17dabb24c3d3b5814df9d53b7736d8a42399f7b33
SHA2562bb0dd8ca7a8186ce101daac386412e0a5bb7936d68220e99855299612c0775b
SHA512fa656f9fe67ac23a9246bccd4a79eb9035f3e4a2b58a3432ccb817994b2c2b8f7d066e1a76b4a9cfc85141b8022d0e51534eae4b0ceeacefcd8016c44bf3adc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++github.com\ls\usage
Filesize12B
MD59a75a5036253d5d3bf62143d659ea00c
SHA16fa03071ea30ce6c1f7fef7ff0218c1e14be2a00
SHA2563b9f9890ac3d383672dbaa3699cb9139f93ecfc0b017400a1f3e1c4d2f294597
SHA5122979a939fe2615e3adb1e1257bbfbd07aeb356d67b4c372304238ff72d982147aabac337f35d10205f71c956ce6ac368bab365caf8e184ddea2760d5c6806a05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5e7d901ad03d22078f4c42ecc83c3bd45
SHA113ffe2ced2026e6b99c39a96d006c7832a72ba17
SHA256fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17
SHA5128e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
9KB
MD5a7267ea62be1b55561d72a74f8411f2a
SHA1bbe49b6e7a8fabc71b69b2a292a27fd48eedea4a
SHA256815ff6ba14611c9b7b5546d529d78d5232d0466cce4f39ae5ffec8d712123c6f
SHA512abc17bbbb808133128ca2014a1ebe7fbe26ece19d35af94897af99c36cbc5410640b767ca7cafa5fbbc8b7d963e6cf622d60125351c2e309388139c40237db46
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
112KB
MD5ef3839826ed36f3a534d1d099665b909
SHA18afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8
-
Filesize
382KB
MD5b78c384bff4c80a590f048050621fe87
SHA1f006f71b0228b99917746001bc201dbfd9603c38
SHA2568215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab
-
Filesize
352B
MD5a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
Filesize
84B
MD56a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
Filesize
318KB
MD5b5fc476c1bf08d5161346cc7dd4cb0ba
SHA1280fac9cf711d93c95f6b80ac97d89cf5853c096
SHA25612cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650
SHA51217fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697